Source guide

Publicly Available U.S. Voter Registration Information for Six States Downloaded by a PRC CNE Actor

A substantially redacted government cyber report states that a PRC cyber network exploitation actor downloaded publicly available voter-registration data for six states from commercial websites in January 2022.

Open full source PDF ↗ 6 pages Image source text
01

Revision and scope

The document identifies itself as a revised copy that adds Oklahoma and clarifies that the voter-registration records were hosted on commercial websites; it instructs recipients to remove the original report.

“This is a revised copy. The State of Oklahoma has been added. In addition, the websites hosting the voter registration records are commercial websites, and that fact has been clarified in the report.”
Revision notice
Source: page 1 ↗
02

Reported downloads and attempted Ohio download

The report says a PRC CNE actor downloaded historical registration information for Colorado, Connecticut, Florida, Michigan, Oklahoma, and Rhode Island on 14 January 2022. It separately says an Ohio voter-registration application was of interest to the actor but failed to download.

“historical U.S. voter registration information from 2013 to 2021 was downloaded by a PRC CNE actor on 14 January 2022 from U.S. commercial websites”
Cyber reporting
Source: page 2 ↗
“an Ohio voter registration application was also of interest to the PRC CNE actor, but failed to download from the U.S. State Government's website.”
Cyber reporting
Source: page 2 ↗
03

Possible uses remain an analytic hypothesis

The report says the exposed personally identifiable information included names, party affiliations, email and physical addresses, and phone numbers, and assesses that it could theoretically support later cyber or election-influence activity. It explicitly states that the actor's actual motivation was unknown.

“could, in theory, be leveraged to carry out anything from future CNE operations to election influence operations”
Analytic assessment
Source: page 2 ↗
“although the actual motivations for collecting this information is unknown.”
Analytic caveat
Source: page 2 ↗
04

Monitoring gap

The report warns election-security organizations that voter data may sit on nongovernment websites and therefore be harvested outside their monitoring.

“APT actors may harvest voter registration information outside the monitoring of election security organizations.”
Defensive warning
Source: page 3 ↗