The Iranian Cyber Threat: Iranians Indicted for Cyber
Operations
to Influence the 2020 Presidential Election
By
Paul Davis
While
most of the attention has been on Russian interference in the 2020 election, a
federal indictment this past November zeroed in on Iran’s cyber operations.
An
indictment unsealed in New York on November 21st charged two Iranian nationals
with involvement in a cyber-enabled campaign to intimidate and influence
American voters, and undermine voter confidence, as well as sow discord, in
connection with the 2020 U.S. presidential election.
According
to Court documents, Seyyed Mohamad Hosein Musa Kazemi, aka Mohammad Hosein Musa
Kazem, aka Hosein Zamani, 24, and Sajjad Kashaian, aka Kiarash Nabavi, 27,
obtained confidential U.S. voter information from at least one state election
website; sent threatening email messages to intimidate and interfere with
voters; created and disseminated a video containing disinformation about
purported election infrastructure vulnerabilities; attempted to access, without
authorization, several states’ voting-related websites; and successfully gained
unauthorized access to a U.S. media company’s computer network that, if not for
successful FBI and victim company efforts to mitigate, would have provided the
conspirators another vehicle to disseminate false claims after the election.
“This
indictment details how two Iran-based actors waged a targeted, coordinated
campaign to erode confidence in the integrity of the U.S. electoral system and
to sow discord among Americans,” said Assistant Attorney General Matthew G.
Olsen of the Justice Department’s National Security Division. “The allegations
illustrate how foreign disinformation campaigns operate and seek to influence
the American public. The Department is committed to exposing and disrupting
malign foreign influence efforts using all available tools, including criminal
charges.”
U.S.
Attorney Damian Williams for the Southern District of New York stated, “As
alleged, Kazemi and Kashian were part of a coordinated conspiracy in which
Iranian hackers sought to undermine faith and confidence in the U.S.
presidential election. Working with others, Kazemi and Kashian accessed voter
information from at least one state’s voter database, threatened U.S. voters
via email, and even disseminated a fictitious video that purported to depict
actors fabricating overseas ballots. The United States will never tolerate any
foreign actors’ attempts to undermine our free and democratic elections. As a
result of the charges unsealed today, and the concurrent efforts of our U.S.
government partners, Kazemi and Kashian will forever look over their shoulders
as we strive to bring them to justice.”
The
FBI’s Cyber Division’s Assistant Director Bryan Vorndran added, “The FBI
remains committed to countering malicious cyber activity targeting our
democratic process. Working rapidly with our private sector and U.S. government
partners and ahead of the election, we were able to disrupt and mitigate this
malicious activity – and then to enable today’s joint, sequenced operations
against the adversary.”
According
to the Feds, from about August of 2020 to November 2020, Kazemi, Kashian, and
other co-conspirators coordinated a campaign to undermine faith and confidence
in the 2020 presidential election. The Campaign had four components:
“In
September and October 2020, members of the conspiracy conducted reconnaissance
on, and attempted to compromise, approximately 11 state voter websites,
including state voter registration websites and state voter information
websites. Those efforts resulted in the successful exploitation of a
misconfigured computer system of a particular U.S. state (“State-1”), and the
resulting unauthorized downloading of information concerning more than 100,000
of State-1’s voters,” the Justice Department stated.
“In
October 2020, members of the conspiracy, claiming to be a “group of Proud Boys
volunteers,” sent Facebook messages and emails (the “False Election Messages”)
to Republican Senators, Republican members of Congress, individuals associated
with the presidential campaign of Donald J. Trump, White House advisors, and
members of the media. The False Election Messages claimed that the Democratic
Party was planning to exploit “serious security vulnerabilities” in state voter
registration websites to “edit mail-in ballots or even register non-existent
voters.” The False Election Messages were accompanied by a video (the “False
Election Video”) carrying the Proud Boys logo, which purported, via simulated
intrusions and the use of State-1 voter data, to depict an individual hacking
into state voter websites and using stolen voter information to create
fraudulent absentee ballots through the Federal Voting Assistance Program
(FVAP) for military and overseas voters.
“Also
in October 2020, the conspirators engaged in an online voter intimidation
campaign involving the dissemination of a threatening message (the “Voter Threat
Emails”), purporting to be from the Proud Boys to tens of thousands of
registered voters, including some voters whose information the conspiracy had
obtained from State-1’s website. The emails were sent to registered Democrats
and threatened the recipients with physical injury if they did not change their
party affiliation and vote for President Trump.”
The
Justice Department further stated that On Nov. 4, 2020, the day after the 2020
U.S. presidential election, the conspirators sought to leverage earlier
September and October 2020 intrusions into an American media company’s (Media
Company-1) computer networks. Specifically, on that day, the conspirators
attempted to use stolen credentials to again access Media Company-1’s network,
which would have provided them another vehicle for further disseminating false
claims concerning the election through conspirator-modified or created content.
However, because of an earlier FBI victim notification, Media Company-1 had by
that time mitigated the conspirators’ unauthorized access and these log-in
attempts failed.
According
to the Justice Department, Kazemi and Kashian are experienced Iran-based
computer hackers who worked as contractors for an Iran-based company formerly
known as Eeleyanet Gostar, and now known as Emennet Pasargad. Eeleyanet Gostar
purported to provide cybersecurity services within Iran. Among other things,
Eeleyanet Gostar is known to have provided services to the Iranian government,
including to the Guardian Council.
“As
part of his role in the Voter Intimidation and Influence Campaign, Kazemi compromised
computer servers that were used to send the Voter Threat Emails, drafted those
emails, and compromised the systems of Media Company-1. Kashian managed the
conspirators’ computer infrastructure used to carry out the Voter Threat Emails
campaign and he purchased social media accounts in furtherance of the Voter
Intimidation and Influence Campaign,” the Justice Department stated.
Kazemi
and Kashian were both charged with one count of conspiracy to commit computer
fraud and abuse, intimidate voters, and transmit interstate threats, which
carries a maximum sentence of five years in prison; one count of voter
intimidation, which carries a maximum sentence of one year in prison; and one
count of transmission of interstate threats, which carries a maximum sentence
of five years in prison. Kazemi is additionally charged with one count of
unauthorized computer intrusion, which carries a maximum sentence of five years
in prison; and one count of computer fraud, namely, knowingly damaging a
protected computer, which carries a maximum sentence of 10 years in prison.
“Concurrent
with the unsealing of the indictment, the Department of the Treasury Office of
Foreign Assets Control (OFAC) designated Emennet Pasargad, Kazemi, Kashian, and
four other Iranian nationals comprising Emennet Pasargad leadership pursuant to
Executive Order 13848.
Kazemi
and Kashian are both wanted by the FBI. The State Department’s “Rewards for
Justice Program” is offering a reward of up to $10 million for information on
or about their activities.
Back
in October of 2020, Treasury’s OFAC designated five Iranian entities for
attempting to influence elections in the United States.
“The
Iranian regime has targeted the United States’ electoral process with brazen
attempts to sow discord among the voting populace by spreading disinformation
online and executing malign influence operations aimed at misleading U.S.
voters. Components of the Government of Iran, disguised as news organizations
or media outlets, have targeted the United States in order to subvert U.S.
democratic processes,” the Treasury Department stated.
The
Treasury Department designated the Islamic Revolutionary Guard Corps (IRGC),
the IRGC-Qods Force (IRGC-QF), and Bayan Rasaneh Gostar Institute (Bayan
Gostar) pursuant to Executive Order (E.O.) 13848 for having directly or
indirectly engaged in, sponsored, concealed, or otherwise been complicit in
foreign interference in the 2020 U.S. presidential election. The Iranian
Islamic Radio and Televisin Union (IRTVU) and International Union of Virtual
Media (IUVM) were designated pursuant to E.O. 13848 for being owned or
controlled by the IRGC-QF. The IRGC, including the IRGC-QF, has been designated
under multiple authorities since 2007.
“The
Iranian regime uses false narratives and other misleading content to attempt to
influence U.S. elections,” said then-Treasury Secretary Steven T. Mnuchin.
According
to the Treasury Department, the Iranian regime’s disinformation efforts have
targeted a global audience through a variety of covert media organizations.
Disinformation campaigns run by the Iranian regime focus on sowing discord
among readers via social media platforms and messaging applications, and
frequently involve mischaracterizing information.
Since
at least 2015, Bayan Gostar has served as a front company for IRGC-QF
propaganda efforts. In the months leading up to the 2020 U.S. presidential
election, Bayan Gostar personnel have planned to influence the election by
exploiting social issues within the United States, including the COVID-19 pandemic,
and denigrating U.S. political figures. As recently as summer 2020, Bayan
Gostar was prepared to execute a series of influence operations directed at the
U.S. populace ahead of the presidential election.
IRTVU,
a propaganda arm of the IRGC-QF, and IUVM aided Bayan Gostar in efforts to
reach U.S. audiences. In addition, IRGC-QF outlets amplified false narratives
in English, and posted disparaging propaganda articles and other U.S.-oriented
content with the intent to sow discord among U.S. audiences. IUVM also posted
conspiracy theories and disinformation related to the COVID-19 pandemic.
“As a
result of the designations, all property and interests in property of the
persons are blocked, and U.S persons are generally prohibited from engaging in
transactions with them. In addition, foreign financial institutions that
knowingly facilitate significant transactions for, or persons that provide
material or certain other support to, the persons designated today risk
exposure to sanctions that could sever their access to the U.S. financial
system or block their property and interests in property under U.S.
jurisdiction. Additionally, any entities 50 percent or more owned by one or
more designated persons are also blocked,” the Treasury Department stated.
The
National Intelligence Council’s “Foreign Threats to the 2020 U.S. Federal
Elections” last March assessed that Iran had conducted a covert influence
campaign during the 2020 elections.
“We
assess that Iran carried out a multi-pronged covert influence campaign intended
to undercut former President Trump’s reelection prospects – though without
directly promoting his rivals – and undermine public confidence in the
electoral process and U.S. institutions, and sow division and exacerbate
societal tensions in the U.S,” the assessment stated. “We have high confidence
in this assessment. We assess the Supreme Leader Khamenei authorized the
campaign and Iran’s military and intelligence services implemented it using
covert messaging and cyber operations.”
About the Author
Paul Davis, who writes the IACSP Threatcon column, is a longtime
contributor to the Journal.