Local election workers facing an uptick in physical threats and harassment have also been targeted by a recent wave of malicious email activity ahead of the 2022 midterm elections, according to a new analysis.
While much of the security discussed about the midterms has focused on disinformation and countering foreign cyberattacks, county election workers in the key battleground states of Arizona and Pennsylvania dealt with a surge of phishing attacks coinciding with their primary elections, data shared with TIME by cybersecurity firm Trellix shows.
These attacks have included familiar phishing schemes to access passwords as well as newer ones targeting the absentee-ballot process, according to the report. “They’re preying on the prototypical easy way in,” says Patrick Flynn, who heads the Advanced Programs Group at Trellix. The goal, he says, is to get local election workers to give away access to their own personal data as well as information about their colleagues, voter records, or administrative tools.
In Pennsylvania, malicious emails targeting county election workers surged around its primary elections on May 17, rising more than 546% in six months, to 7,555 by the end of the second quarter of 2022. One scheme detected by Trellix researchers involved attackers leveraging an existing email thread dating back to 2018 between a county election worker and a government contractor distributing and collecting absentee-ballot applications. The familiar names and long-running correspondence made it more likely to succeed.
A wave of malicious emails targeting local election workers also crested in Arizona around the state’s primary elections on Aug. 2, according to Trellix data, rising from 617 in the first quarter of the year to 2,246 in the third quarter. One effort targeting Arizona election workers used a typical phishing scheme informing staffers that their passwords were about to expire. Local workers were prompted to click a link and enter login credentials, which would give attackers access to election administrators’ networks, including contact lists, voter records, and administrative tools, as well as their own data.
Earlier this month, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint assessment stating that “any attempts by cyber actors to compromise election infrastructure are unlikely to result in large-scale disruptions or prevent voting.” But analysts say that while it’s not clear who was behind this recent wave of cyberattacks, the focus on county election workers is likely taking advantage of a growing vulnerability.
Local and state officials say they’re facing a shortage of election workers ahead of next month’s midterm elections due to the physical threats and harassment many of them have suffered since 2020, when false claims implied that election workers were complicit in widespread voter fraud. Roughly one in three election officials and poll workers have quit these positions over fears for their safety, according to Kim Wyman, the senior election security lead at CISA.
That makes it more likely that the overworked staffers remaining could be tricked into providing access to personal information, internal data or election databases, security researchers say. The workers being targeted at the local level, some of whom are volunteers, are “relatively the least sophisticated actors in terms of cybersecurity postures, but the most critical in actual electoral engagement with voters,” the Trellix report says.
Despite the recent focus on foreign influence campaigns and cyberattacks, election security remains at its core a local and state level issue, says Flynn. “U.S. election officials should focus on the human aspects of election cybersecurity as well as election disinformation and election workers’ physical security,” he says in the report. “Any apparent cyber incidents around the 2022 midterms could potentially be used to feed more election result conspiracy theories.”
This kind of phishing targeting state and local election worker—which is often unsophisticated but effective—has long been a concern for law enforcement and cybersecurity officials. In 2016, Hillary Clinton’s campaign chairman John Podesta infamously fell for such an email scheme, allowing Russian agents to hack thousands of internal campaign messages.
In 2019, the director of the Department of Homeland Security’s Election Security Initiative, Geoff Hale, warned secretaries of state that the country’s decentralized voting systems remained vulnerable to this kind of exploitation. Last fall, election officials in nine states were targeted by fake email invoices meant to trick them into giving away their login credentials, according to an FBI bulletin. “Cyber actors will likely continue or increase their targeting of U.S. election officials with phishing campaigns in the lead-up to the 2022 U.S. midterm elections,” the agency warned in March.
The U.S. government has stepped up efforts to counter threats against election workers, including a dedicated task force at the Department of Justice launched in July 2021 that has investigated more than 100 such cases. One in six election officials has reported being threatened for carrying out their job, according to a poll published by the Brennan Center in March. Of those surveyed, 77% said these threats have increased in recent years.
Some states have recently taken steps to protect election workers’ private information and addresses. In California, a new bill allows election workers to enroll in a “Safe At Home” program meant to keep their personal information confidential—a setup usually used by domestic-violence survivors.
Local law enforcement needs to get more involved in “protecting election workers themselves, ensuring that they’re not being doxed, or their public information or their personal contact information is being released so they get more threats,” former CISA director Chris Krebs said in a “Face the Nation” interview earlier this month. “We do need more attention on these threats. Otherwise, we’re going to see a shortage of election workers.”