Votebeat is a nonprofit news organization reporting on voting access and election administration across the U.S. Sign up for Votebeat Arizona’s free newsletter here.
Arizona officials say they have “moderate confidence” that the Iranian government or its affiliates are responsible for a cyberattack that breached the state’s candidate web portal last month, and say the same actors attempted to breach servers for other agencies in Arizona and elsewhere.
The hacker gained access to a server at the Arizona Secretary of State’s Office on June 23 and began changing candidate profile photos that appear on the state’s election results website, according to office officials.
The hacker changed all of the photos to the same image — a red and black image of Ayatollah Ruhollah Khomeini, leader of the 1979 revolution that established Iran as an Islamic republic.
State cybersecurity officials cannot say for certain who is responsible, said Ryan Murray, the top cybersecurity official with the Arizona Department of Homeland Security, which is assisting the Secretary of State’s Office with its investigation. But Murray said they believe it’s likely Iran, because of the image the hacker uploaded, the sophistication and persistence of the attacks, and the timing — two days after the June 21 U.S. bombing of Iran.
The day after the bombing, the U.S. Department of Homeland Security issued a warning that cyberattacks by “pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against U.S. networks.”
Hackers with the same IP addresses attempted attacks on other Arizona agencies, and in other states, according to state cybersecurity officials. They declined to share which agencies or states were targeted, but said that they learned of those attempts by talking to election cybersecurity staff in other states through the National Association of Secretaries of State.
Murray confirmed that Arizona’s Homeland Security Department saw other activity from the same IP addresses on other state and local government servers. The department is making sure state agencies and local governments “can better protect themselves,” he said.
Attempted attacks persisted during shutdown
The Secretary of State’s Office shut down the web portal almost immediately after the attack began, it said, and blocked the hacker. But the hacker was “sophisticated,” Murray said, and continued to attempt to breach the server in other ways throughout the week the portal was shut down. Murray said he believes the attempts have now stopped.
The candidate portal is separate from the systems the state uses for voter registration, reporting election results, and campaign petitions. The site includes election results, but they feed from a different server and weren’t on the one that was attacked. No voter data was accessed, officials said.
The candidate portal hosts mainly public information, but officials are still investigating whether any private, personally identifying information was improperly accessed, office spokesperson Aaron Thacker said. The server that was breached also hosts the website where people submit applications to become a notary public, and Thacker said the investigation is examining whether the hacker accessed that system at all.
The office is now requesting $10 million in immediate funding from the governor and lawmakers to modernize its systems in hopes of preventing future attacks, Thacker said.
Fontes decides not to alert federal cybersecurity agency
Upon noticing the breach, the Secretary of State’s Office began working with the Arizona Department of Homeland Security to investigate, and also notified the National Guard’s cybersecurity team and a third-party cybersecurity vendor that was already working with the office, Thacker said.
But Secretary of State Adrian Fontes, a Democrat, said he decided not to immediately report the incident to the U.S. Cybersecurity and Infrastructure Security Agency, a federal agency that has long partnered with election officials around the country. Some Republicans faulted Fontes for that decision.
While the agency was a reliable partner until this year, Fontes said in a statement, the Trump administration has “politicized and weakened” CISA. His comments come after the administration paused CISA’s election security activities earlier this year, saying many did not fit with their priorities, and then slashed the agency’s election security funding.
Fontes said that his office has “lost confidence in their capacity to collaborate in good faith.”
The state’s Homeland Security Department, though, has given information about the attack to the FBI’s Phoenix field office, as well as CISA. Murray said his department shared some information about the attack, such as the IP address, without mentioning which government office it affected, to see whether CISA had any relevant information.
On Friday, Fontes met in Washington with federal cybersecurity officials, according to Thacker. Thacker declined to disclose which agency Fontes met with, or whether the breach was the subject of the meeting.
Fontes’ office also briefed the governor and a bipartisan group of state lawmakers last week.
How the hacker breached the server
On June 23, cybersecurity tools meant to warn officials of suspicious activity sent an alert about the server that hosts the candidate portal.
The hacker created a profile using the Secretary of State’s Office candidate web portal, which allows any member of the public to create a profile where they can upload personal information about their candidacy, their photo, and candidate filings.
The hacker used the photo upload option to instead upload code that compromised the server, according to office officials. The officials noticed this activity quickly, but didn’t notice the candidate profiles changing on the results pages until the next day, when a member of the public alerted a staff member.
The office saw that the hacker was changing the photos, one by one, on pages for election results from 2016 to 2024. The special primary election for the 7th Congressional District was on July 15, but that results page was not yet live on the website, and those candidate profiles were not changed, office officials said.
The office’s cybersecurity officials were able to block the hacker, but the hacker regained entry using other IP addresses. Thacker said that the old portal, which lacks modern security features, is partly to blame.
Since taking office in 2023, Fontes has asked for millions of dollars in state funding to create new, more secure electronic systems. “That funding has not materialized,” Thacker said.
The office is now working with the state’s legislative budget committee to try to find $10 million in the recently approved state budget, along with $3.5 million in additional ongoing funding.
Fontes’ office isn’t the only government agency in Arizona with antiquated systems, Murray said.
“Legacy technology and technological debt exists everywhere,” he said. “It’s something we have done our best to put controls around.”
Jen Fifield is a reporter for Votebeat based in Arizona. Contact Jen at jfifield@votebeat.org.
