Rafe is a Sr. Security Researcher working in the SecureWorks Counter Threat Unit™ (CTU), Cyber Intelligence Cell. Rafe performs focused cyber threat intelligence research, delivering technical analysis for both targeted and commodity cyber threats.
Our analysis indicates the attack was simulated using infrastructure setup by the adversary—and not against a real voter registration database. The unusual thing about this campaign is the target set, theme, and inclusion of a contrived video showing a hack of a voter registration database. The messages were sent using compromised infrastructure from companies linked to Saudi Arabia, Estonia and United Arab Emirates. This is a common tactic for threat actors. In some cases, it appears that the threat actors had technical difficulties getting target-specific, personal information, to populate in their email templates, with only the variable name showing in the resulting message. This could indicate that aspects of the operation were rushed or not well-planned in advance. While the video shows the use of the sqlmap tool to compromise a voter registration database, some failures in the redaction reveal command lines that indicate the attack was simulated using infrastructure setup by the adversary—and not against a real voter registration database.24 May 2021