This month a team of researchers uncovered the sale of stolen voter data in an apparent cyberattack against Iraq’s Independent High Electoral Commission (IHEC), but incident in a pattern of growing malicious activity against elections in the Middle East and beyond.
Resecurity unearthed a 21.58 GB database containing Iraqi voter ID and personally identifiable information, as well as a custom software client designed for IHEC’s “Operations and Data Management Department.”
Election cyber threats – which increased from 10% in 2015 to 26% in 2022 – are jeopardizing the integrity of democratic processes around the world, researchers say. Threats against elections include voter data leaks, incidents that drive influence campaigns, and attacks that deem election systems unavailable.
The Resecurity team said it worked with “sources familiar with these digital record archives” to confirm that the leak occurred around 2019. Resecurity also discovered a similar post on the Dark Web from 2022, though this data was found to be corrupt.
The last illicit tranche, on the contrary, is the real deal.
“The data captured is valid and contains valid information that has been validated with our law enforcement partners in Iraq,” says Gene Yoo, CEO of Resecurity.
Translation from Arabic of key fields confirmed that the database contains voting information with details about voters (names, dates of birth), polling stations and registration centers to collect votes, among other information.
“The data leaked from the Independent High Electoral Commission IHEC [of Iraq] it includes not only a database but also related software, probably developed by an IT contractor,” explains Yoo.
“Based on the connection settings defined in the software, [the leaked software] the package was installed locally on the workstations of the IT administrators managing the databases,” he explains.
Supply chain compromise
Resecurity believes the breach is most likely the result of an IT supply chain compromise involving technology from third-party vendors that the threat actors hacked. Alternatively, the leak could have come from an insider with access to IHEC infrastructure, they say. Election infrastructure systems are generally isolated from the Internet, so a remote attack is less likely.
The next Iraqis will go to the polls parliamentary elections scheduled for October 2025.
Criminals could use leaked voter data to create propaganda and campaigns targeted at specific segments of voters. Unlike compromised payment card data or passwords – both of which can be changed in response to a cyber attack – leaked voter data remains exploitable years after the initial leak.
“Cyberespionage groups, operating at the direction of state actors, are targeting voters’ personal information, plotting to use it as a long-term weapon for election interference,” according to the Resecurity report. “This data reveals crucial demographic information and context of target populations during pre-election and post-election phases.”
Who is behind the theft of voter data?
Potential suspects in the attack include state actors interested in destabilizing Iraq or a domestic actor involved in protest activity. According to Resecurity, Iran and dissident Kurdish nationalists are the two most likely suspects, and some evidence points against the latter.
“Several actors involved in this campaign are believed to be from the Kurdistan Region and speak Sorani, a Kurdish dialect,” Resecurity explained. “Our investigators traced the IP addresses of several threat actors to Kirkuk, a city in northern Iraq.”
Leaked voter information and election interference has occurred in many countries, including the United States, Iraq, Indonesia, Israel, Turkey and African nations, as detailed last week in a report Blog post on security on its results.
Cyber threats range from attacks on election infrastructure to influence campaigns aimed at shaping public opinion and politicians’ decisions.
For example, a group known as R00Tk1T CYBER TEAM recently targeted Qatar and Malaysia ahead of the January 2024 release of a JSON dump featuring 90,000 voters from Lebanon’s past parliamentary elections.
“This data has never been published on the Dark Web before and was likely released with the intention of triggering social uncertainty in the upcoming elections scheduled for 2026,” according to Resecurity.
Analysts from Resecurity’s Hunter unit had previously identified a data leak of 6.4 million Israeli voter records on cybercriminal forum Eleaks.
The data leak, first reported around 2021, has been reused multiple times, including at the start of the latest Israel-Gaza conflict, with bad actors weaponizing it to target specific individuals, including the family of Israeli military personnel. Resecurity traced this leak to a breach of Elector, an Israeli software application used to manage political campaigns.
Stay alert
As threat actors are actively seeking to acquire and exploit voter data, nations must both strengthen their defenses and remain vigilant, Resecurity researchers advise.
“It is critical that organizations and individuals monitor the data footprint of the Dark Web,” they said. “It is also important to protect the elections IT supply chain, including contractors involved in administering the system and their suppliers.”