The Washington PostDemocracy Dies in Darkness

Iran gained access to election results website in 2020, military reveals

Cyber Command cooperation with DHS prevented intruders from muddying results, senior commander tells conference

Contractors hired by the Arizona Senate examine and recount ballots from the 2020 general election at Veterans Memorial Coliseum in Phoenix on May 8, 2021. (Courtney Pedroza for The Washington Post)
3 min

SAN FRANCISCO — The U.S. military discovered that an Iranian hacking group had penetrated a local government website that was to report 2020 election results and disrupted the attack before the votes were tallied, officials revealed Monday during a conference of cybersecurity professionals.

Officials said that while neither the votes nor the counting machines would have been affected by the intrusion, the hackers could have rendered the public-facing website for displaying results unreachable or posted fake results, shaking public confidence in the true results.

“It could make it look like the votes had been tampered with,” said Maj. Gen. William J. Hartman, commander of the Cyber Command’s Cyber National Mission Force.

Hartman did not reveal which website had been penetrated. He said his group of 2,000 cyber experts discovered the penetration during its “hunt forward” efforts overseas, then alerted the Department of Homeland Security, which helped the unnamed local government thwart the intrusion.

Hartman spoke during a rare joint presentation with the head of the DHS agency for domestic cyberdefense at the annual RSA security industry conference in San Francisco. Until his presentation Monday, the Iranian intrusion had been classified.

The talk with Eric Goldstein, leader for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), was intended to stress the ongoing and rapid cooperation between the two agencies against spies, ransomware operators and potentially destructive hackers.

Hartman said the Iranian group was known in the industry as Pioneer Kitten, after the private company CrowdStrike’s term for a suspected Iranian government contractor. He said it was a distinct operation from another 2020 Iranian disruption attempt in which faked emails supposedly from the militant far-right Proud Boys threatened voters if they didn’t support Donald Trump.

Another detail declassified for Monday’s presentation concerned the sophisticated and pervasive hacks in 2020 of software from SolarWinds and Microsoft, in which alleged Russian government hackers burrowed deep inside SolarWinds’ process for generating final programming code. The impact of the SolarWinds hack was particularly widespread because the company held contracts to update the computers of scores of businesses and government agencies, including the Commerce and Treasury departments.

After experts at Mandiant detected the attack on the security firm’s own copy of SolarWinds, CISA went to that company and made an electronic copy of its infected server, Goldstein said. Cyber Command then trained its troops on that electronic image, and the practice helped them hunt the programmers behind it, eventually discovering 18 other malicious programs from the same team, which Hartman said was part of Russia’s SVR foreign intelligence agency.

The breaches reached into nine U.S. government agencies, but Goldstein said all were confident they had fully evicted the intruders.

Hartman said the collaboration between Cyber Command and CISA is more extensive than most people realize and that some senior executives and front-line analysts from each agency are physically located at the other agency.

Speaking to reporters after the session, Hartman said his force has undertaken 47 forward operations in the past three years, with teams ranging in size from 10 members to the 43 currently deployed in Ukraine.

Feeding information that those teams have discovered in the field back to CISA has helped the domestic agency warn 160 targets just this year that they were about to be ransomware victims, Goldstein said.

Hartman also disclosed for the first time that Cyber Command had cut off suspected Chinese hackers from access to hundreds of infected Microsoft Exchange email servers in 2021.

The RSA conference takes its name from the RSA security company that began it. The letters come from the last names of RSA founders Ron Rivest, Adi Shamir and Leonard Adleman, all cryptography experts. The company is now owned by Dell EMC.

Tim Starks contributed to this report.