{
	"id": "bc34cf32-5bab-4217-ad36-12936e815d08",
	"created_at": "2026-04-06T00:14:46.01414Z",
	"updated_at": "2026-04-10T13:12:03.093123Z",
	"deleted_at": null,
	"sha1_hash": "744ad283ff5636a3cedc40958c48564f2125c0b7",
	"title": "Iranian Advanced Persistent Threat Actors Threaten Election-Related Systems | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86048,
	"plain_text": "Iranian Advanced Persistent Threat Actors Threaten Election-Related Systems | CISA\r\nPublished: 2020-10-22 · Archived: 2026-04-05 19:14:25 UTC\r\nSummary\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are\r\nwarning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with\r\nthe U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.\r\nThe APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S.\r\nvoter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and\r\nballot fraud.\r\nThe APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS)\r\nattacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and\r\ndisinformation campaigns. \r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nThese actors have conducted a significant number of intrusions against U.S.-based networks since August 2019.\r\nThe actors leveraged several Common Vulnerabilities and Exposures (CVEs)—notably CVE-2020-5902 and\r\nCVE-2017-9248—pertaining to virtual private networks (VPNs) and content management systems (CMSs). \r\nCVE-2020-5902 affects F5 VPNs. Remote attackers could exploit this vulnerability to execute arbitrary\r\ncode. [1 ].\r\nCVE-2017-9248 affects Telerik UI. Attackers could exploit this vulnerability in web applications using\r\nTelerik UI for ASP.NET AJAX to conduct cross-site scripting (XSS) attacks.[2 ]\r\nHistorically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns,\r\nwebsite defacements, and disinformation campaigns. These activities could render these systems temporarily\r\ninaccessible to the public or election officials, which could slow, but would not prevent, voting or the reporting of\r\nresults.\r\nA DDoS attack could slow or render election-related public-facing websites inaccessible by flooding the\r\ninternet-accessible server with requests; this would prevent users from accessing online resources, such as\r\nvoting information or non-official voting results. In the past, cyber actors have falsely claimed DDoS\r\nattacks have compromised the integrity of voting systems in an effort to mislead the public that their attack\r\nwould prevent a voter from casting a ballot or change votes already cast.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296b\r\nPage 1 of 6\n\nA SQL injection involves a threat actor inserting malicious code into the entry field of an application,\r\ncausing that code to execute if entries have not been sanitized. SQL injections are among the most\r\ndangerous and common exploits affecting websites. A SQL injection into a media company’s CMS could\r\nenable a cyber actor access to network systems to manipulate content or falsify news reports prior to\r\npublication.\r\nSpear-phishing messages may not be easily detectible. These emails often ask victims to fill out forms or\r\nverify information through links embedded in the email. APT actors use spear phishing to gain access to\r\ninformation—often credentials, such as passwords—and to identify follow-on victims. A malicious cyber\r\nactor could use compromised email access to spread disinformation to the victims’ contacts or collect\r\ninformation sent to or from the compromised account.\r\nPublic-facing website defacements typically involve a cyber threat actor compromising the website or its\r\nassociated CMS, allowing the actor to upload images to the site’s landing page. In situations where such\r\npublic-facing websites relate to elections (e.g., the website of a county board of elections), defacements\r\ncould cast doubt on the security and legitimacy of the websites’ information. If cyber actors were able to\r\nsuccessfully change an election-related website, the underlying data and internal systems would remain\r\nuncompromised..\r\nDisinformation campaigns involve malign actions taken by foreign governments or actors designed to\r\nsow discord, manipulate public discourse, or discredit the electoral system. Malicious actors often use\r\nsocial media as well as fictitious and spoofed media sites for these campaigns. Based on their corporate\r\npolicies, social media companies have worked to counter these actors’ use of their platforms to promote\r\nfictitious news stories by removing the news stories, and in many instances, closing the accounts related to\r\nthe malicious activity. However, these adversaries will continue their attempts to create fictitious accounts\r\nthat promote divisive storylines to sow discord, even after the election.\r\nMitigations\r\nThe following recommended mitigations list includes self-protection strategies against the cyber techniques used\r\nby the APT actors:\r\nValidate input—input validation is a method of sanitizing untrusted input provided by web application\r\nusers. Implementing input validation can protect against security flaws of web applications by significantly\r\nreducing the probability of successful exploitation. Types of attacks possibly prevented include SQL\r\ninjection, XSS, and command injection.\r\nAudit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services.\r\nDisable the service if unneeded or install available patches. Users may need to work with their technology\r\nvendors to confirm that patches will not affect system processes.\r\nVerify all cloud-based virtual machine instances with a public IP; do not have open RDP ports, unless there\r\nis a valid business reason to do so. Place any system with an open RDP port behind a firewall, and require\r\nusers to use a VPN to access it through the firewall.\r\nEnable strong password requirements and account lockout policies to defend against brute-force attacks.\r\nApply multi-factor authentication, when possible.\r\nApply system and software updates regularly, particularly if you are deploying products affected by CVE-2020-5902 and CVE-2017-9248.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296b\r\nPage 2 of 6\n\nFor patch information on CVE-2020-5902, refer to F5 Security Advisory K52145254 .\r\nFor patch information on CVE-2017-9248, refer to Progress Telerik details for CVE-2017-9248 .\r\nMaintain a good information back-up strategy that involves routinely backing up all critical data and\r\nsystem configuration information on a separate device. Store the backups offline; verify their integrity and\r\nrestoration process.\r\nEnable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days,\r\nand review them regularly to detect intrusion attempts.\r\nWhen creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote\r\naccess.\r\nEnsure third parties that require RDP access are required to follow internal policies on remote access.\r\nMinimize network exposure for all control system devices. Where possible, critical devices should not\r\nhave RDP enabled.\r\nRegulate and limit external to internal RDP connections. When external access to internal resources is\r\nrequired, use secure methods, such as VPNs, recognizing VPNs are only as secure as the connected\r\ndevices.\r\nBe aware of unsolicited contact on social media from any individual you do not know.\r\nBe aware of attempts to pass links or files via social media from anyone you do not know.\r\nBe aware of unsolicited requests to share a file via online services.\r\nBe aware of email messages conveying suspicious alerts or other online accounts, including login\r\nnotifications from foreign countries or other alerts indicating attempted unauthorized access to your\r\naccounts.\r\nBe suspicious of emails purporting to be from legitimate online services (e.g., the images in the email\r\nappear to be slightly pixelated and/or grainy, language in the email seems off, the email originates from an\r\nIP address not attributable to the provider/company).\r\nBe suspicious of unsolicited email messages that contain shortened links (e.g., via tinyurl , bit.ly ).\r\nUse security features provided by social media platforms, use strong passwords, change passwords\r\nfrequently, and use a different password for each social media account.\r\nSee CISA’s Tip on Best Practices for Securing Election Systems for more information.\r\nGeneral Mitigations\r\nKeep applications and systems updated and patched\r\nApply all available software updates and patches; automate this process to the greatest extent possible (e.g., by\r\nusing an update service provided directly from the vendor). Automating updates and patches is critical because of\r\nthe speed at which threat actors create exploits after a patch is released. These “N-day” exploits can be as\r\ndamaging as a zero-day exploits. Vendor updates must also be authentic; updates are typically signed and\r\ndelivered over protected links to ensure the integrity of the content. Without rapid and thorough patch application,\r\nthreat actors can operate inside a defender’s patch cycle.[3] In addition to updating the application, use tools (e.g.,\r\nthe OWASP Dependency-Check Project tool[4 ]) to identify publicly known vulnerabilities in third-party\r\nlibraries that the application depends on.\r\nScan web applications for SQL injection and other common web vulnerabilities\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296b\r\nPage 3 of 6\n\nImplement a plan to scan public-facing web servers for common web vulnerabilities (SQL injection, cross-site\r\nscripting, etc.); use a commercial web application vulnerability scanner in combination with a source code\r\nscanner.[5] As vulnerabilities are found, they should be fixed or patched. This is especially crucial for networks\r\nthat host older web applications; as sites get older, more vulnerabilities are discovered and exposed.\r\nDeploy a web application firewall \r\nDeploy a web application firewall (WAF) to help prevent invalid input attacks and other attacks destined for the\r\nweb application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from\r\nthe web application to determine if the request is malicious. Some WAFs install on the host system and others are\r\ndedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web\r\nvulnerability scanning tools.\r\nDeploy techniques to protect against web shells\r\nPatch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow\r\nguidance on detecting and preventing web shell malware.[6] Malicious cyber actors often deploy web shells—\r\nsoftware that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web\r\nshells to execute arbitrary system commands, which are commonly sent over HTTP or HTTPS. Attackers often\r\ncreate web shells by adding or modifying a file in an existing web application. Web shells provide attackers with\r\npersistent access to a compromised network using communications channels disguised to blend in with legitimate\r\ntraffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.\r\nUse multi-factor authentication for administrator accounts\r\nPrioritize protection for accounts with elevated privileges, with remote access, and/or used on high value assets.\r\n[7] Use physical token-based authentication systems to supplement knowledge-based factors such as passwords\r\nand personal identification numbers (PINs).[8] Organizations should migrate away from single-factor\r\nauthentication, such as password-based systems, which are subject to poor user choices and more susceptible to\r\ncredential theft, forgery, and password reuse across multiple systems.\r\nRemediate critical web application security risks\r\nFirst, identify and remedite critical web application security risks first; then, move on to other less critical\r\nvulnerabilities. Follow available guidance on securing web applications.[9],[10 ],[11 ]\r\nHow do I respond to unauthorized access to election-related systems?\r\nImplement your security incident response and business continuity plan\r\nIt may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore\r\nnormal operations. In the meantime, take steps to maintain your organization’s essential functions according to\r\nyour business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery\r\nplans, and business continuity procedures.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296b\r\nPage 4 of 6\n\nContact CISA or law enforcement immediately\r\nTo report an intrusion and to request incident response resources or technical assistance, contact CISA\r\n(Central@cisa.dhs.gov or 888-282-0870) or the Federal Bureau of Investigation (FBI) through a local field\r\noffice or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937).\r\nResources\r\nCISA Tip: Best Practices for Securing Election Systems\r\nCISA Tip: Securing Voter Registration Data\r\nCISA Tip: Website Security\r\nCISA Tip: Avoiding Social Engineering and Phishing Attacks\r\nCISA Tip: Securing Network Infrastructure Devices\r\nCISA Activity Alert: Technical Approaches to Uncovering and Remediating Malicious Activity\r\nCISA Insights: Actions to Counter Email-Based Attacks On Election-related Entities\r\nFBI and CISA Public Service Announcement (PSA): Spoofed Internet Domains and Email Accounts Pose\r\nCyber and Disinformation Risks to Voters\r\nFBI and CISA PSA: Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding\r\n2020 Elections\r\nFBI and CISA PSA: Distributed Denial of Service Attacks Could Hinder Access to Voting Information,\r\nWould Not Prevent Voting\r\nFBI and CISA PSA: False Claims of Hacked Voter Information Likely Intended to Cast Doubt on\r\nLegitimacy of U.S. Elections\r\nFBI and CISA PSA: Cyber Threats to Voting Processes Could Slow But Not Prevent Voting\r\nFBI and CISA PSA: Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020\r\nElection Results\r\n \r\nContact Information\r\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855)\r\n292-3937 or by e-mail at CyWatch@fbi.gov . When available, please include the following information\r\nregarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of\r\nequipment used for the activity; the name of the submitting company or organization; and a designated point of\r\ncontact. To request incident response resources or technical assistance related to these threats, contact CISA at\r\nCentral@cisa.dhs.gov .\r\nReferences\r\n[1] F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902\r\n[2] Progress Telerik details for CVE-2017-9248\r\n[4] OWASP Dependency-Check\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296b\r\nPage 5 of 6\n\n[10] OWASP Top Ten\r\n[11] 2020 CWE Top 25 Most Dangerous Software Weaknesses\r\nRevisions\r\nOctober 22, 2020: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-296b\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296b\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa20-296b"
	],
	"report_names": [
		"aa20-296b"
	],
	"threat_actors": [],
	"ts_created_at": 1775434486,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/744ad283ff5636a3cedc40958c48564f2125c0b7.pdf",
		"text": "https://archive.orkl.eu/744ad283ff5636a3cedc40958c48564f2125c0b7.txt",
		"img": "https://archive.orkl.eu/744ad283ff5636a3cedc40958c48564f2125c0b7.jpg"
	}
}