Cyber Incident Victim: Election Assistance Commission
Date:
Oct 2021
Location:
United States of America
Summary
The FBI warned US election officials of an ongoing credential phishing campaign targeting their accounts to gain unauthorized system access. Attackers employed invoice-themed emails with malicious links, using compromised government addresses and spoofed business accounts to redirect victims to credential-harvesting sites across multiple states. Three distinct waves of attacks involved PDF and Word document attachments designed to steal login details, with one wave leveraging a breached official email account. While the activity aimed to establish persistent access to election infrastructure, investigations found no evidence of compromised election data integrity despite prior successful breaches of support systems through vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2021, the Federal Bureau of Investigation identified a coordinated phishing campaign targeting US election officials across multiple states. The first wave occurred on October 5, 2021, when attackers sent emails to election officials in at least nine states and representatives of the National Association of Secretaries of State. These messages contained an attachment titled "INVOICE INQUIRY.PDF" that redirected recipients to credential-harvesting websites. One phishing email originated from a compromised US government official's account, while others used spoofed addresses. A second wave followed on October 18, 2021, with attackers impersonating US businesses through two email addresses that distributed Microsoft Word document attachments about invoices, again redirecting to credential theft sites. The third wave occurred on October 19, 2021, using another spoofed business email address to send election officials a Word document titled "Current Invoice and Payments for report." The FBI determined these attacks represented a concerted effort due to shared attachment files, use of compromised accounts, and synchronized timing across incidents.
The campaign posed risks of unauthorized system access that could persist undetected. While the FBI's March 2022 advisory did not specify confirmed compromises, it warned that successful credential theft could enable sustained access to election systems. The agency linked the attacks to broader patterns of election infrastructure targeting, noting CISA had previously documented state-sponsored actors exploiting VPN and Windows vulnerabilities to breach election support systems—though without evidence of altered election data. In response, the FBI urged election administrators to implement multi-factor authentication for critical systems like webmail and VPNs, establish protocols for reporting suspicious emails, and train staff to recognize phishing tactics. The advisory anticipated increased attacks approaching the 2022 midterm elections, emphasizing credential protection as a defensive priority given attackers' use of both compromised legitimate accounts and fabricated business identities across the three documented attack waves.