The Summary starts off with the warning, “The FBI is warning US election and other state and local government officials about invoice-themed phishing emails that could be used to harvest officials’ login credentials. If successful, this activity may provide cyber actors with sustained, undetected access to a victim’s systems.” Invoice themed phishing could be a whole lot of campaigns and does not necessarily mean it is specifically aimed at one group or another. Trickbot often had something that appeared to be an invoice as have many, many other campaigns.
Outside of the general “themed” statement the FBI also attempts to point to the use of compromised accounts, or spoofed accounts. Again, nothing out of the ordinary here as this would be pretty much the definition of a phishing campaign. You want the email to look like a legitimate sender and one that would be inside the industry for the current push. Just look at how many fake donation emails are flying around about the Russian invasion of Ukraine or any time there is a disaster. Just because a group of government officials get spoofed emails or emails from compromised accounts does not mean it is a targeted effort.
The FBI did include some timelines for the event that leads them to believe, “cyber actors will likely continue or increase their targeting of US election officials with phishing campaigns in the lead-up to the 2022 US midterm elections.”. The information is all from October 2021 and spans three campaigns where election officials received emails with malicious attachments that were hidden in files with the word invoice in them. In each case the attachment redirected the user to a site intended to collect credentials (just like many phishing campaigns).
Overall, the report reads like a way to inject concern where it should not be. This does not mean that US officials, at all levels of government, should not take phishing emails seriously. It just means that this is likely not a targeted attempt to compromise an election. It is much more likely to be a general campaign aimed at government officials that had some that are responsible for elections. The timing of the attacks and the notification are suspicious just on the surface of it. Why wait until the end of March almost six months to make the announcement? If this was a significant threat and not just noise, it would have been pushed out sooner and with more IoC to allow organizations to identify if they were hit or not, this is the way that these are pushed out to other areas of the private industry, why not for this one?
The US election system as well as most parts of the US government IT infrastructure needs a complete overhaul in terms of security. Phishing attempts should not be compromising any level of government considering the tools that exist and the training that is out there to prevent this type of attack. The fact that there is a concern, to me, is just sad. The FBI should also be a bit ashamed for releasing this notification, it will do nothing to prevent phishing attempts and is much more likely to cause panic and a lack of trust in the upcoming election. I sincerely hope this was not the intent.