WASHINGTON - The FBI has concluded that Iran was behind online efforts earlier this month to incite lethal violence against the bureau's director, a former top U.S. cyber expert and multiple state elections officials who've refuted claims of widespread voter fraud promoted by President Donald Trump and his allies, federal and state officials said Tuesday.
FBI Director Christopher Wray and ousted Homeland Security Department official Christopher Krebs were among more than a dozen people whose images, home addresses and other personal information were posted on a website titled "Enemies of the People." Crosshairs were superimposed over the photos.
Many of these officials in one way or another have attested to the security of November's election, saying they had not seen evidence of widespread fraud - a conclusion at odds with President Trump's baseless claims that the election was rigged.
"The following individuals have aided and abetted the fraudulent election against Trump," the website falsely claimed.
Iran was active in seeking to interfere in the U.S. election, targeting Democratic voters in October with fake but menacing emails that purported to be from a far-right group threatening recipients to vote for Trump "or we will come after you."
Iran condemned the revelations, made by the top U.S. intelligence official, Director of National Intelligence John Ratcliffe, as "baseless" and "absurd."
In August, intelligence officials said that Iran was seeking to undermine U.S. democratic institutions and divide the country in advance of the election. They predicted that Iran's efforts would focus on online influence, such as spreading disinformation on social media. The motivation, they said, was driven in part by a perception that Trump's reelection would result in a continuation of U.S. pressure on Iran in an effort to foment regime change.
The "Enemies" hit list falsely accused swing-state governors, voting systems executives, Krebs and Wray of being responsible for "changing votes and working against the President" in a treasonous attempt to "overthrow our democracy." It was shared on social media using the hashtags #remembertheirfaces and #NoQuarterForTraitors.
Krebs, who had been vocal about tamping down unfounded claims of ballot fraud, was fired by Trump last month. As head of the Cybersecurity and Infrastructure Security Agency within DHS, he led successful efforts to help state and local election offices protect their systems and rebut misinformation.
One state official, who like others spoke on the condition of anonymity to speak candidly, said the FBI has been placing calls to those targeted on the web page to inform them that Iran was behind the effort. The agency is expected to make an announcement Wednesday.
Several of those targeted received the following statement from the bureau: "The FBI is in possession of highly credible information indicating Iranian advanced persistent threat actors were almost certainly responsible for the creation of a website, called 'Enemies of the People' containing death threats aimed at U.S. election officials in mid-December 2020."
The FBI did not immediately respond to a request for comment.
Voting machine companies were also targeted by the campaign. Dominion Voting Systems, for instance, is the subject of a fantastical conspiracy theory that it is controlled by Venezuelan communists who programmed their voting machines to flip votes from Trump to Biden. Hand recounts in Michigan and Georgia disproved the accusation by coming up with virtually identical results as the machines.
In one instance, a 20-year-old Dominion technician in Georgia was targeted by far-right social media users who falsely claimed they'd caught him on camera manipulating election data. Some people called for the worker's imprisonment, torture or execution. One tweet accused him of treason and included an animated image of a hanging noose.
The threats created a climate of fear for some families. On a recent Saturday night, for instance, armed protesters gathered at the Detroit home of Michigan Secretary of State Jocelyn Benson, a Democrat, one of those targeted on the hit list, as she finished stringing holiday lights and prepared to watch "How the Grinch Stole Christmas" with her 4-year-old son. Echoing Trump's unfounded claims, protesters said she was ignoring widespread voter fraud and chanted "Stop the steal!" Neighbors urged the protesters to leave because they were scaring some of the neighborhood children, but they refused.
Georgia's Republican Secretary of State Brad Raffensperger and his voting systems manager, Gabriel Sterling, have received death threats for weeks, as has Raffensperger's wife. Both have received additional law enforcement protection.
"We have known since day one that foreign actors seek to undermine trust in the United States' elections process," said one of the officials who confirmed that the FBI had concluded that Iran was behind the operation. "President Trump has perpetuated a false narrative that has allowed this type of foreign attack to penetrate the minds of American citizens."
At least one cybersecurity expert noticed the website's formation in early December before it contained any information, but the target list broke into public view Dec. 9, when an attorney for Krebs issued a public statement warning that a site "called 'enemies of the people' [is] proposing the assassination of various Republican and Democratic leaders who they falsely claim are complicit in manipulating the 2020 presidential campaign."
Krebs and his attorney, Jim Walden, a former Justice Department attorney, declined to comment further.
In the ensuing days, the site and copies of it disappeared and reappeared in multiple places. The Washington Post identified at least three websites and 10 social media accounts that published it. The target list sometimes expanded, at one point including 21 people, including the governors of Georgia, Pennsylvania, Wisconsin, Nevada and Michigan - all battleground states that Trump lost - as well as Dominion employees.
Joe Slowik, a senior security researcher at DomainTools, noted earlier this month that the use of multiple domains and servers put the perpetrator in a more sophisticated class than other disinformation similar campaigns that have abounded since the election.
Slowik said another unique aspect to the "kill list" was that its creators did not use anonymized web registry services. Instead, they listed names, email addresses and a physical address - almost all in Russia or Eastern Europe.
Yet there were other traces that suggested the content had been generated in the United States. The creators used an English version of a Russian search engine, and at one point listed an address outside Macon, Ga., that is associated with a local tax preparer's office. A call to the tax office was not returned.
In an interview last week, Slowik said it was clear the site's creators had gone to great lengths to mask their identity.
Most of the pages have been pulled down. However, copies of the list remain on the Internet Archive, a site that catalogues large portions of the Internet. As of Tuesday, it was still accessible on Parler, a social media platform favored by conservatives, and on the Russian site V-Kontakte.
The Iranians appeared to have borrowed a tactic from groups like the Islamic State, which took advantage of the Internet Archive to spread disinformation across multiple platforms in an effort to slow the pace of takedowns, said John Scott-Railton, senior researcher at Citizen Lab at the University of Toronto's Munk School of Global Affairs and Public Policy.
"It's as if they're anticipating a skirmish," he said. "It really highlights the extent to which they were thinking about the challenges of takedowns."
- - -
The Washington Post's Dalton Bennett contributed to this report.