US gov’t stopped Iranian hackers who ‘gained access’ to 2020 election infrastructure

SAN FRANCISCO — Two U.S. cybersecurity agencies took actions to protect the 2020 presidential election from Iranian hackers, and thwarted digital criminals who targeted a trio of federal agencies, senior officials revealed on Monday.

The two previously undisclosed incidents were shared by Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA) and Army Maj. Gen. William Hartman, the chief of the Cyber National Mission Force (CNMF), at the RSA conference here.

In 2020, the CNMF, Cyber Command’s elite digital corps, was conducting a reconnaissance mission in foreign cyberspace when it detected that Pioneer Kitten, an Iran-linked hacking group, had “gained access to a city's local infrastructure that would be used to record the results of voting for the 2020 elections.”

“To be clear, this isn't infrastructure involved in casting a vote. It isn't infrastructure involved in counting votes,” Hartman said. “But our concern is always that some type of website defacement, some type of DDoS attack, something that took the website down or defaced the website, say on the night of the election, could make it look like the vote had been tampered with, when that's absolutely not true.”

CISA contacted the impacted jurisdiction and worked through incident response, while CNMF “executed cyber operations to ensure the malicious cyber actor no longer had access to the network” and could not return to the system, Hartman said.

The two-star later said the operation was separate from a previously reported instance in which two Iranian nationals were eventually charged by the Justice Department for attempting to influence the election.

“All I'm gonna tell you is that we were able to go out and remediate the access that they had in these networks,” Hartman told reporters after the event.

During the event, he said the CNMF had also teamed up with CISA to stop the Hafnium campaign by Chinese state actors, where teams evaluated “what could be done in order to disrupt an ongoing operation” and prevent future access being used against the U.S.

The CNMF obtained the malware, remediated servers, and shared the techniques with federal partners, he said.

Goldstein later disclosed that CISA, through its sensor grid, had “recently” detected three civilian federal agencies “facing an intrusion campaign from foreign-based cybercriminals.”

He did not say when the effort took place or if it was in any way connected to a state actor, but that the group attempted to harvest credentials.

The Homeland Security Department’s cyber wing contacted the agencies and shared the information with Hartman’s digital warriors. Neither he nor Goldstein described what steps were taken to blunt the unnamed actor’s activities against the federal agencies.

“This is a model that we are working rapidly to scale,” said Goldstein, noting CISA and the CNMF have also shared information derived from the targeting of schools and other educational institutions.

Speaking to reporters, he said the two entities chose to share the examples now because “we've really made a lot of progress even over the last year.”

A lot of this work is fairly new, fairly novel, and it's really been mature,” Goldstein told reporters. “We're really excited with the form of RSA to talk about in this capacity and really reflect both the good work by our teams actively reducing risks, both here and abroad, but also the need for collaboration with partners.”