Candidates in a local school board election in Colorado were targeted by threat actors in a series of cyberattacks last autumn. The election, which took place in Boulder County, saw ten candidates, including the author, vying for four seats on the school board. At least three of the candidates, including the author, were targeted with a Business Email Compromise (BEC) campaign. The attackers demonstrated advanced social engineering skills by leveraging a social graph of the candidates’ relationships within the school district.
While larger elections in the United States, especially during even-numbered years, typically attract more attention from cyber attackers, off-year elections are not immune to malicious activity. Recent warnings from the US Department of State, CISA, and the UK’s NCSC highlighted the threat posed by attackers affiliated with Russia’s FSB targeting political candidates for phishing attacks.
The author’s investigation into the cyberattacks revealed a sophisticated phishing campaign that targeted candidates using tailored emails and attachments designed to trick them into revealing sensitive information. The attacks, which originated from a Russia-based webmail service, aimed to exploit the candidates’ relationships and familiarity with key figures in the school district.
The phishing attempts escalated in complexity and severity, with attackers sending emails disguised as legitimate documents from services like Adobe Acrobat Sign. These emails contained malicious attachments that were customized to each target, displaying personal details such as campaign logos to deceive recipients into entering sensitive information.
The investigation uncovered a wider phishing campaign that targeted organizations in the US, Canada, the UK, Europe, India, Australia, New Zealand, and South Africa. The attackers utilized compromised email servers to send over 2000 identical messages to nearly 800 organizations, with the goal of stealing sensitive information through customized phishing attachments.
To protect against such attacks, the author recommends using multifactor authentication, password managers, and secure communication channels. By implementing security best practices such as creating unique passwords, enabling multifactor authentication, and safeguarding campaign data with encryption keys, candidates can mitigate the risk of falling victim to cyber threats.
The author’s experience as both a cybersecurity professional and a political candidate underscores the importance of maintaining vigilance and implementing strong security measures, regardless of the size or scope of the election. As the 2024 US elections approach, it is crucial for candidates and campaigns to remain aware of the evolving threat landscape and take proactive steps to secure their sensitive data.
Sophos X-Ops would like to acknowledge the assistance of CISA, Defending Digital Campaigns, Hubspot, BVSD, and the candidates who contributed to the investigation. With the upcoming elections in 2024, the need for heightened cybersecurity measures to safeguard candidates and campaigns against cyber threats has never been more critical.