Why the US was so fast to blame Iran for voter intimidation emails in Florida

Sometimes attribution takes years. Not this time.
Iran flag
An Iranian flag flies in Taleghani Park in Tehran. (Flickr / <a href="">David Sandoz</a>)

By trying to quickly resolve concerns about an apparent Iranian influence operation and bolster Americans’ confidence the country’s electoral process, U.S. officials have sparked an entirely new set of questions: Why were they able to connect Iran to the attack so quickly, and how?

During a briefing announced to reporters 10 minutes before it began Wednesday, John Ratcliffe, the director of national intelligence, said the U.S. government had determined Iran was behind an email campaign meant to intimidate American voters. Neither Ratcliffe nor FBI Director Christopher Wray, who was also at the briefing, provided any technical evidence to support the allegation that the emails, purported to be sent by the Proud Boys as threats to Democratic voters in Florida to vote for President Donald Trump, in fact were sent by Iranian attackers.

The disclosure came quickly after Motherboard on Tuesday reported on a surge of suspicious emails that seemed to use technical means to try to hide their sender and origin. Attribution against hackers, particularly those with nation-state backing, has sometimes taken U.S. officials years. This week, the U.S. government announced indictments against alleged Russian hackers working for Russia’s Main Intelligence Directorate, or the GRU, in connection with the global NotPetya malware attacks and interference in French elections, each of which took place three years ago, as well as attacks against Ukraine’s power grid that began in 2015.

However, intelligence officials assessed with “high confidence” that Iran was behind the threatening emails, according to a U.S. official familiar with the matter.


The urgency to determine and then publicly announce who was behind the apparent spoofing campaign was due to the timing of the campaign, with the election less than two weeks away, as well as the operation’s intention to undermine American voters’ confidence, another U.S. government official told CyberScoop. The messages targeted registered Democrats in Florida, traditionally a crucial swing state in presidential elections.

“Attribution can take anywhere from years to hours,” said the source, who was not authorized to speak to the press. “You have a foreign government attempting intimidation. At this point the only way to head that off is telling the American people this is an external actor.”

Google has also, separately, linked the email campaign to Iran, according to CNN.

In a statement, the National Security Agency and Cyber Command, the Pentagon’s offensive hacking arm, made it clear that the apparent election interference attempts demanded immediate action.

“These are desperate attempts by our adversaries to intimidate or to undermine voter confidence, but Americans can rest assured: thousands of your fellow citizens stand ready to defend your vote, every single day,” said Dave Imbordino, NSA’s election security lead, and Brig. Gen. Joe Hartman, Cyber Command’s election security lead.


Careful wording around ‘obtaining’ voter details

Ratcliffe also said that Iran and Russia had obtained voter registration information, but did not clarify how they did so. Many voter registration details are available to the public through legal means. Neither of the officials took questions.

Federal officials are working with states to to determine if the possession of the voter registration data is indicative of a compromise of any type, one U.S. official told CyberScoop.

“What the Iranians did could have been done from 100% public-facing stuff,” one U.S. government source said. “No one is aware of any breach at this time.”

Meanwhile, Sen. Mark Warner, D-Va., who was briefed on the threat, said he thinks that ODNI and FBI should share more details with the American public.


“I am glad that ODNI and the FBI made a statement to alert the public, and I believe that they can and should share more with the American people about the threats we are facing, so that voters can be prepared,” Warner, a member of the Senate Intelligence Committee, said in a statement. “The only way to prepare the public to resist these attempts to influence their votes is if they are on ready alert for what’s to come.”

State officials remain confident

The attribution of the intimidation email campaign came 13 days before Election Day, a key timeframe during which voters are voting early in huge numbers. Inoculating voters against misinformation campaigns in this timeframe is a key prong of any effort to assure Americans that their votes will count and that the integrity of the election is sound.

State election officials were also briefed Wednesday on the email campaign and instructed to patch vulnerabilities in their election-related websites, according to one U.S. government official.

Mac Warner, West Virginia’s secretary of state, welcomed the briefing as a sign of progress that federal and state officials had made in threat-sharing since 2016.


“They are preparing us ahead of time that they’re seeing activity and we need to be extra vigilant,” Warner said in an interview Thursday. “We’re 12 days away from an election. This was a very appropriate call by the federal government to get this [information] out” to the public and to state officials.

The intelligence community has previously assessed that Iranian-sponsored hackers aim to undermine U.S. institutions.

Nathaniel Gleicher, head of cybersecurity policy at Facebook, told CyberScoop the Iranian operation has all the hallmarks of what he calls a “perception hack” — when actors “prey on our fears.”

“They impersonate a domestic group, they try to convince people that they’re going to be threatened or endangered if they vote in a certain way and then they try to play on that fear, and hope that there’s a big news story about this happening, and that that spirals,” Gleicher said in an interview.

One of the best ways to tackle and neutralize these kinds of online influence operations is to call them out and attribute them so the American public is aware they are being actively targeted with incorrect information, according to Gleicher.


“One of the things that we’ve seen in the weeks and months are regular warnings from the platforms, from government and from others saying … we know that they’re actors who are willing to try to convince everyone that the election is insecure,” Gleicher said.

Jeff Stone contributed reporting. 

Latest Podcasts