{
	"id": "4db05111-59fc-4f2e-bf3a-840919022c06",
	"created_at": "2026-04-06T00:15:16.433317Z",
	"updated_at": "2026-04-10T03:20:55.69046Z",
	"deleted_at": null,
	"sha1_hash": "84d8e4ddec5ac9f0e95230fd653d5f83b0a64516",
	"title": "Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 120082,
	"plain_text": "Iranian Advanced Persistent Threat Actor Identified Obtaining Voter\r\nRegistration Data | CISA\r\nPublished: 2020-11-03 · Archived: 2026-04-05 17:03:12 UTC\r\nSummary\r\nThis advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) version 8 framework.\r\nSee the ATT\u0026CK for Enterprise version 8 for all referenced threat actor techniques.\r\nThis joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the\r\nFederal Bureau of Investigation (FBI). CISA and the FBI are aware of an Iranian advanced persistent threat (APT) actor\r\ntargeting U.S. state websites—to include election websites. CISA and the FBI assess this actor is responsible for the mass\r\ndissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in\r\nmid-October 2020. This disinformation (hereinafter, “the propaganda video”) was in the form of a video purporting to\r\nmisattribute the activity to a U.S. domestic actor and implies that individuals could cast fraudulent ballots, even from\r\noverseas. https://www.odni.gov/index.php/newsroom/press-releases/item/2162-dni-john-ratcliffe-s-remarks-at-press-conference-on-election-security.  (Reference FBI FLASH message ME-000138-TT, disseminated October 29, 2020). Further\r\nevaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to\r\ninfluence and interfere with the 2020 U.S. presidential election.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nAnalysis by CISA and the FBI indicates this actor scanned state websites, to include state election websites, between\r\nSeptember 20 and September 28, 2020, with the Acunetix vulnerability scanner (Active Scanning: Vulnerability Scanning\r\n[T1595.002 ]). Acunetix is a widely used and legitimate web scanner, which has been used by threat actors for nefarious\r\npurposes. Organizations that do not regularly use Acunetix should monitor their logs for any activity from the program that\r\noriginates from IP addresses provided in this advisory and consider it malicious reconnaissance behavior. \r\nAdditionally, CISA and the FBI observed this actor attempting to exploit websites to obtain copies of voter registration data\r\nbetween September 29 and October 17, 2020 (Exploit Public-Facing Application [T1190 ]). This includes attempted\r\nexploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads,\r\nand leveraging unique flaws in websites. \r\nCISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of\r\nvoter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL\r\ntool to iterate through voter records. A review of the records that were copied and obtained reveals the information was used\r\nin the propaganda video. \r\nCISA and FBI analysis of identified activity against state websites, including state election websites, referenced in this\r\nproduct cannot all be fully attributed to this Iranian APT actor. FBI analysis of the Iranian APT actor’s activity has identified\r\ntargeting of U.S. elections’ infrastructure (Compromise Infrastructure [T1584 ]) within a similar timeframe, use of IP\r\naddresses and IP ranges—including numerous virtual private network (VPN) service exit nodes—which correlate to this Iran\r\nAPT actor (Gather Victim Host Information [T1592 )]), and other investigative information. \r\nReconnaissance\r\nThe FBI has information indicating this Iran-based actor attempted to access PDF documents from state voter sites using\r\nadvanced open-source queries (Search Open Websites and Domains [T1593 ]). The actor demonstrated interest in PDFs\r\nhosted on URLs with the words “vote” or “voter” and “registration.” The FBI identified queries of URLs for election-related\r\nsites. \r\nThe FBI also has information indicating the actor researched  the following information in a suspected attempt to further\r\ntheir efforts to survey and exploit state election websites.\r\nYOURLS exploit\r\nBypassing ModSecurity Web Application Firewall\r\nDetecting Web Application Firewalls\r\nSQLmap tool\r\nAcunetix Scanning\r\nCISA’s analysis identified the scanning of multiple entities by the Acunetix Web Vulnerability scanning platform between\r\nSeptember 20 and September 28, 2020 (Active Scanning: Vulnerability Scanning [T1595.002 ]). \r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-304a\r\nPage 1 of 5\n\nThe actor used the scanner to attempt SQL injection into various fields in /registration/registration/details with\r\nstatus codes 404 or 500.\r\n/registration/registration/details?addresscity=-1 or 3*2\u003c(0+5+513-513) --\r\n\u0026addressstreet1=xxxxx\u0026btnbeginregistration=begin voter\r\nregistration\u0026btnnextelectionworkerinfo=next\u0026btnnextpersonalinfo=next\u0026btnnextresdetails=next\u0026btnnextvoterinformation=next\u0026btnsubmit=submit\r\nxxx-xxxx\u0026phoneno2=xxx-xxx-xxxx\u0026radio=consent\u0026statecancelcity=xxxxxxx\u0026statecancelcountry=usa\u0026statecancelstate=XXaa\u0026statecancelzip=xxxxx\u0026statecancelzipext=xxxxx\u0026suff\r\nRequests\r\nThe actor used the following requests associated with this scanning activity.\r\n2020-09-26 13:12:56 x.x.x.x GET /x/x v[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+\r\n(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 0\r\n2020-09-26 13:13:19 X.X.x.x GET /x/x voterid[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+\r\n(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 1375\r\n2020-09-26 13:13:18 .X.x.x GET /x/x voterid=;print(md5(acunetix_wvs_security_test)); 443 - X.X.x.x\r\nUser Agents Observed\r\nCISA and FBI have observed the following user agents associated with this scanning activity.\r\nMozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 -\r\n500 0 0 0\r\nMozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4\r\nMozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.8.1.17)+Gecko/20080922+Ubuntu/7.10+(gutsy)+Firefox/2.0.0.17\r\nExfiltration\r\nObtaining Voter Registration Data\r\nFollowing the review of web server access logs, CISA analysts, in coordination with the FBI, found instances of the cURL\r\nand FDM User Agents sending GET requests to a web resource associated with voter registration data. The activity occurred\r\nbetween September 29 and October 17, 2020. Suspected scripted activity submitted several hundred thousand queries\r\niterating through voter identification values, and retrieving results with varying levels of success [Gather Victim Identity\r\nInformation (T1589 )]. A sample of the records identified by the FBI reveals they match information in the aforementioned\r\npropaganda video.\r\nRequests\r\nThe actor used the following requests.\r\n2020-10-17 13:07:51 x.x.x.x GET /x/x voterid=XXXX1 443 - x.x.x.x curl/7.55.1 - 200 0 0 1406\r\n2020-10-17 13:07:55 x.x.x.x GET /x/x voterid=XXXX2 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390\r\n2020-10-17 13:07:58 x.x.x.x GET /x/x voterid=XXXX3 443 - x.x.x.x curl/7.55.1 - 200 0 0 1625\r\n2020-10-17 13:08:00 x.x.x.x GET /x/x voterid=XXXX4 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390\r\nNote: incrementing voterid values in cs_uri_query field\r\nUser Agents\r\nCISA and FBI have observed the following user agents.\r\nFDM+3.x\r\ncurl/7.55.1\r\nMozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 -\r\n500 0 0 0\r\nMozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4\r\nSee figure 1 below for a timeline of the actor’s malicious activity.\r\nFigure 1: Overview of malicious activity\r\nMitigations\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-304a\r\nPage 2 of 5\n\nDetection\r\nAcunetix Scanning\r\nOrganizations can identify Acunetix scanning activity by using the following keywords while performing log analysis.\r\n$acunetix\r\nacunetix_wvs_security_test\r\nIndicators of Compromise\r\nFor a downloadable copy of IOCs, see AA20-304A.stix.\r\nDisclaimer: many of the IP addresses included below likely correspond to publicly available VPN services, which can be\r\nused by individuals all over the world. This creates the potential for a significant number of false positives; only activity\r\nlisted in this advisory warrants further investigation. The actor likely uses various IP addresses and VPN services.\r\nThe following IPs have been associated with this activity.\r\n102.129.239[.]185 (Acunetix Scanning)\r\n143.244.38[.]60 (Acunetix Scanning and cURL requests)\r\n45.139.49[.]228 (Acunetix Scanning)\r\n156.146.54[.]90 (Acunetix Scanning)\r\n109.202.111[.]236 (cURL requests)\r\n185.77.248[.]17 (cURL requests)\r\n217.138.211[.]249 (cURL requests)\r\n217.146.82[.]207 (cURL requests)\r\n37.235.103[.]85 (cURL requests)\r\n37.235.98[.]64 (cURL requests)\r\n70.32.5[.]96 (cURL requests)\r\n70.32.6[.]20 (cURL requests)\r\n70.32.6[.]8 (cURL requests)\r\n70.32.6[.]97 (cURL requests)\r\n70.32.6[.]98 (cURL requests)\r\n77.243.191[.]21 (cURL requests and FDM+3.x [Free Download Manager v3] enumeration/iteration)\r\n92.223.89[.]73 (cURL requests)\r\nCISA and the FBI are aware the following IOCs have been used by this Iran-based actor. These IP addresses facilitated the\r\nmass dissemination of voter intimidation email messages on October 20, 2020.\r\n195.181.170[.]244 (Observed September 30 and October 20, 2020)\r\n102.129.239[.]185 (Observed September 30, 2020)\r\n104.206.13[.]27 (Observed September 30, 2020)\r\n154.16.93[.]125 (Observed September 30, 2020)\r\n185.191.207[.]169 (Observed September 30, 2020)\r\n185.191.207[.]52 (Observed September 30, 2020)\r\n194.127.172[.]98 (Observed September 30, 2020)\r\n194.35.233[.]83 (Observed September 30, 2020)\r\n198.147.23[.]147 (Observed September 30, 2020)\r\n198.16.66[.]139(Observed September 30, 2020)\r\n212.102.45[.]3 (Observed September 30, 2020)\r\n212.102.45[.]58 (Observed September 30, 2020)\r\n31.168.98[.]73 (Observed September 30, 2020)\r\n37.120.204[.]156 (Observed September 30, 2020)\r\n5.160.253[.]50 (Observed September 30, 2020)\r\n5.253.204[.]74 (Observed September 30, 2020)\r\n64.44.81[.]68 (Observed September 30, 2020)\r\n84.17.45[.]218 (Observed September 30, 2020)\r\n89.187.182[.]106 (Observed September 30, 2020)\r\n89.187.182[.]111 (Observed September 30, 2020)\r\n89.34.98[.]114 (Observed September 30, 2020)\r\n89.44.201[.]211 (Observed September 30, 2020)\r\nRecommendations\r\nThe following list provides recommended self-protection mitigation strategies against cyber techniques used by advanced\r\npersistent threat actors: \r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-304a\r\nPage 3 of 5\n\nValidate input as a method of sanitizing untrusted input submitted by web application users. Validating input can\r\nsignificantly reduce the probability of successful exploitation by providing protection against security flaws in web\r\napplications. The types of attacks possibly prevented include SQL injection, Cross Site Scripting (XSS), and\r\ncommand injection.\r\nAudit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable\r\nunnecessary services and install available patches for the services in use. Users may need to work with their\r\ntechnology vendors to confirm that patches will not affect system processes.\r\nVerify all cloud-based virtual machine instances with a public IP, and avoid using open RDP ports, unless there is a\r\nvalid need. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it\r\nthrough the firewall.\r\nEnable strong password requirements and account lockout policies to defend against brute-force attacks.\r\nApply multi-factor authentication, when possible.\r\nMaintain a good information back-up strategy by routinely backing up all critical data and system configuration\r\ninformation on a separate device. Store the backups offline, verify their integrity, and verify the restoration process.\r\nEnable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review\r\nthem regularly to detect intrusion attempts.\r\nWhen creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.\r\nEnsure third parties that require RDP access follow internal remote access policies.\r\nMinimize network exposure for all control system devices. Where possible, critical devices should not have RDP\r\nenabled.\r\nRegulate and limit external to internal RDP connections. When external access to internal resources is required, use\r\nsecure methods, such as a VPNs. However, recognize the security of VPNs matches the security of the connected\r\ndevices.\r\nUse security features provided by social media platforms; use strong passwords, change passwords frequently, and\r\nuse a different password for each social media account.\r\nSee CISA’s Tip on Best Practices for Securing Election Systems for more information. \r\nGeneral Mitigations\r\nKeep applications and systems updated and patched\r\nApply all available software updates and patches and automate this process to the greatest extent possible (e.g., by using an\r\nupdate service provided directly from the vendor). Automating updates and patches is critical because of the speed of threat\r\nactors to create new exploits following the release of  a patch. These “N-day” exploits can be as damaging as zero-day\r\nexploits. Ensure the authenticity and integrity of vendor updates by using signed updates delivered over protected links.\r\nWithout the rapid and thorough application of patches, threat actors can operate inside a defender’s patch cycle. NSA\r\n\"NSA'S Top Ten Cybersecurity Mitigation Strategies\" https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf Additionally, use tools (e.g.,\r\nthe OWASP Dependency-Check Project tool https://owasp.org/www-project-dependency-check/) to identify the publicly\r\nknown vulnerabilities in third-party libraries depended upon by the application.\r\nScan web applications for SQL injection and other common web vulnerabilities\r\nImplement a plan to scan public-facing web servers for common web vulnerabilities (e.g., SQL injection, cross-site\r\nscripting) by using a commercial web application vulnerability scanner in combination with a source code scanner.\r\nhttps://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm Fixing or patching vulnerabilities after they are identified is especially crucial for networks hosting older web\r\napplications. As sites get older, more vulnerabilities are discovered and exposed.\r\nDeploy a web application firewall  \r\nDeploy a web application firewall (WAF) to prevent invalid input attacks and other attacks destined for the web application.\r\nWAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to\r\ndetermine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front\r\nof the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools. \r\nDeploy techniques to protect against web shells\r\nPatch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on\r\ndetecting and preventing web shell malware. NSA \u0026 ASD \"CyberSecurity Information: Detect and Prevent Web Shell\r\nMalware\" https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF Malicious cyber actors often deploy web shells—software that can enable remote\r\nadministration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands\r\ncommonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web\r\napplication. Web shells provide attackers with persistent access to a compromised network using communications channels\r\ndisguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade\r\nmany security tools. \r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-304a\r\nPage 4 of 5\n\nUse multi-factor authentication for administrator accounts\r\nPrioritize protection for accounts with elevated privileges, remote access, or used on high-value assets. https://us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs Use physical\r\ntoken-based authentication systems to supplement knowledge-based factors such as passwords and personal identification\r\nnumbers (PINs). NSA \"NSA'S Top Ten Cybersecurity Mitigation Strategies\"\r\nhttps://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf Organizations should migrate away from single-factor authentication, such as password-based\r\nsystems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across\r\nmultiple systems.\r\nRemediate critical web application security risks\r\nFirst, identify and remediate critical web application security risks. Next, move on to other less critical vulnerabilities.\r\nFollow available guidance on securing web applications. NSA “Building Web Applications – Security for Developers”\r\nhttps://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm https://owasp.org/www-project-top-ten/ https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html\r\nHow do I respond to unauthorized access to election-related systems?\r\nImplement your security incident response and business continuity plan\r\nIt may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal\r\noperations. In the meantime, take steps to maintain your organization’s essential functions according to your business\r\ncontinuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business\r\ncontinuity procedures.\r\nContact CISA or law enforcement immediately \r\nTo report an intrusion and to request incident response resources or technical assistance, contact CISA (Central@cisa.gov\r\nor 888-282-0870) or the FBI through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-\r\n3937).\r\nResources\r\nCISA Tip: Best Practices for Securing Election Systems\r\nCISA Tip: Securing Voter Registration Data\r\nCISA Tip: Website Security\r\nCISA Tip: Avoiding Social Engineering and Phishing Attacks\r\nCISA Tip: Securing Network Infrastructure Devices\r\nJoint Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity\r\nCISA Insights: Actions to Counter Email-Based Attacks on Election-related Entities\r\nFBI and CISA Public Service Announcement (PSA): Spoofed Internet Domains and Email Accounts Pose Cyber and\r\nDisinformation Risks to Voters\r\nFBI and CISA PSA: Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020\r\nElections\r\nFBI and CISA PSA: Distributed Denial of Service Attacks Could Hinder Access to Voting Information, Would Not\r\nPrevent Voting\r\nFBI and CISA PSA: False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S.\r\nElections\r\nFBI and CISA PSA: Cyber Threats to Voting Processes Could Slow But Not Prevent Voting\r\nFBI and CISA PSA: Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election\r\nResult\r\nRevisions\r\nOctober 30, 2020: Initial Version|November 3, 2020: Updated IOC disclaimer to emphasize that only activity listed in this\r\nalert warrants further investigation.\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-304a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-304a\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa20-304a"
	],
	"report_names": [
		"aa20-304a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434516,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84d8e4ddec5ac9f0e95230fd653d5f83b0a64516.pdf",
		"text": "https://archive.orkl.eu/84d8e4ddec5ac9f0e95230fd653d5f83b0a64516.txt",
		"img": "https://archive.orkl.eu/84d8e4ddec5ac9f0e95230fd653d5f83b0a64516.jpg"
	}
}