Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.
Written by Dan Mandel
On Wednesday, October 21, senior US national security officials alerted that Iran and Russia obtained voter data in their efforts to interfere in the upcoming US election. "This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos, and undermine your confidence in American democracy," Director of National Intelligence John Ratcliffe said. US intelligence officials also asserted that Iran is behind a campaign of threatening emails sent to voters in Florida and Alaska.
How did this happen? How were Russia and Iran able to obtain data of US voters? Was there a major hack or breach of government institutions or elections infrastructure? Our analysis suggests that is not the case. Rather, it appears that obtaining information of US voters is easier than you might think. To demonstrate this, we analyzed two popular Dark Web hacking forums, one Russian-language and the other English-language.
Since the spring of 2020, there has been a noticeable uptick in sales and dissemination of US voter registration databases on these Dark Web forums. While the nature of the data varies, voter registration databases contain information such as full name, gender, voter ID, date or year of birth, physical address, party affiliation, voter status and history, and more. Since June 2020, we identified 13 state voter registration databases containing approximately 52 million records, representing about 1/3 of all registered voters in the US. The databases range in size - from hundreds of thousands to millions of records per database.
While hackers claim that these databases were hacked, our analysis suggests that is not the case. It appears that at least some, and possibly all of the data, was acquired through state government websites that make voter data publicly available. Yet the data can be used maliciously. It is quite possible that such data identifying voters’ names, state, and party affiliation can be cross-referenced against other databases containing email addresses of US persons. Such databases are readily available on the Dark Web and even the Surface Web.
So, actors who wish to create chaos by targeting a specific group or type of voters simply had to obtain voter databases (through state government websites or the Dark Web) and match them against email databases, yielding a target list for email and other social engineering campaigns. Interestingly, the two states targeted by Iran - Alaska and Florida – had 2020 voter databases available on the Dark Web.
Aside from voter registration databases, we found other databases containing personal and voter information, including email address, circulating in the Dark Web; for example, a database of 180 million US Facebook users containing political affiliation. The origins of such data are less clear at the moment (was it hacked?); however, it can also be used for elections interference campaigns, perhaps even more easily than state voter databases.
Our research focused on 2 popular Dark Web hacking communities; one Russian-language forum and one English-language forum. Both exhibited a noticeable uptick in sales and dissemination of voter registration databases and related data. In our assessment, it is highly unlikely that any state-sponsored actors were engaged in the actual dissemination of this data. It is not common for such actors to "advertise" their activities. Nevertheless, cybercriminals and fraudsters drove demand for such datasets, and as a result, actors who have such data were selling it for profit or disseminating it for free so as to improve their reputation in the underground community.
Since June 2020, we identified 13 state voter registration databases containing approximately 52 million records, representing about 1/3 of all registered voters in the US (the total number of registered voters in the US 155.6 million1). Some of these databases - for example, the 2018 New York voter database and the 2018 and 2019 versions of the Florida voter database - were previously shared in underground communities. Other databases, particularly those offered on the Russian-language forum, were only recently obtained in 2020, according to the threat actors offering the data.
The following table shows the voter registration databases shared in the underground (note: year of breach and number of records are as stated by the threat actors and have not been independently verified):
|State||Year of Breach||Number of Records (millions)|
|Colorado||2020||Not stated (the 2020 voter database contains 2.6 million records)|
|Ohio||2020||Not stated (the 2020 voter database contains 6 million records)|
|DeKalb County,Georgia||2020||Not stated (the entire county houses 0.75 million residents)|
While some hackers claim that these databases were hacked, our analysis suggests that is not the case. It appears that at least some, and possibly all of the data, was acquired through state government websites that make voter data publicly available. These databases exclude sensitive information such as social security numbers, but may include full names, addresses, party affiliation, and even dates of birth, depending on the state.
Additionally, other databases containing political affiliation of US citizens alongside other personal information were trending in the Dark Web. One such recently-posted database contains 180 million records of Facebook user data, including voter affiliations of citizens across 50 states and email addresses. The origins of such data are less clear at the moment; however, it can also be used for elections interference campaigns, perhaps quite easily given that email addresses are included.1 worldpopulationreview.com/state-rankings/number-of-registered-voters-by-state
About the AuthorDan Mandel is a senior analyst at Q6 Cyber’s Tel Aviv office, covering global cybercriminal activities on the Dark Web and Deep Web.