H-ISAC TLP White: FBI Warns of US Election Officals Targeting via Invoice-Themed Phishing Campaign to Harvest Credentials

On March 29, 2022, the Federal Bureau of Investigation (FBI) released an FBI-PIN (20220329-001) warning US election and other state and local government officials about invoice-themed phishing emails that could be used to harvest officials' login credentials. If successful, this activity may provide cyber actors with sustained, undetected access to a victim’s systems. 

As of October 2021, US election officials in at least nine states received invoice-themed phishing emails containing links to websites intended to steal login credentials. These emails shared similar attachment files, used compromised email addresses, and were sent close in time, suggesting a concerted effort to target US election officials.

The full report, also attached, can be accessed here. 

The FBI judges cyber actors will likely continue or increase their targeting of US election officials with phishing campaigns in the lead-up to the 2022 US midterm elections. Proactive monitoring of election infrastructure (including official email accounts) and communication between the FBI and its state, local, territorial, and tribal partners about this type of activity will provide opportunities to mitigate instances of credential harvesting and compromise, identify potential targets and information sought by threat actors, and identify threat actors. This assessment is based on reports of phishing attacks that occurred in October 2021 and had the characteristics of a coordinated, ongoing effort to target US election officials.

• On 5 October 2021, unidentified cyber actors targeted US election officials in at least nine states, and representatives of the National Association of Secretaries of State, with phishing emails. These emails originated from at least two email addresses with the same attachment titled, “INVOICE INQUIRY.PDF,” which redirected users to a credential harvesting website. One of the email addresses sending the phishing emails was a compromised US government official’s email account.
• On 18 October 2021, cyber actors used two email addresses, purportedly from US businesses, to send phishing emails to county election employees. Both emails contained Microsoft Word document attachments regarding invoices, which redirected users to unidentified online credential harvesting websites.
• On 19 October 2021, cyber actors used an email address, purportedly from a US business, to send a phishing email containing fake invoices to an election official. The emails contained an attached Microsoft Word document titled, “Current Invoice and Payments for the report.”

View the detailed report below.