Iranian-aligned hackers breached a cloud fax service. Here's what you need to know. ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­    ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­  
View in browser
ESX Form Banner

An Iranian-aligned hacker group recently broke into a cloud-based fax service used by a local government office. The incident is directly relevant to election offices: many jurisdictions use similar fax services to receive ballots from military and overseas voters, and those systems carry the same risks. Here is what happened, why it matters, and what to do.

 

Key takeaways

  • The Threat: Iranian-aligned adversaries broke into a third-party cloud fax account used by a local government office and used it to send threatening faxes to thousands of organizations across the country.
  • Fax Risk: Cloud and online fax services are internet-connected systems. They largely transmit data without encryption, which can expose confidential data, and are often poorly maintained. Election offices that have these vulnerabilities and accept faxed UOCAVA ballots risk exposing how a voter voted.
  • Immediate Action: Check your fax setup now. Know whether you are using a standalone phone-line fax or a cloud service. Make sure your fax systems are part of your security plan.
  • Broader Risk: Iranian-aligned actors do not just target high-profile systems. They look for any door that is unlocked. Now is a good time to check the security of every system in your office, including the ones you rarely think about.

What happened

In late March 2026, Handala Hack Team claimed to have broken into an external, cloud-based fax service account used by a local government office. Officials confirmed the breach was limited to that external account and that internal systems were not directly affected. The compromised server was shut down, and federal, state, and local partners were brought in to assist.

 

Initial reporting indicated the local government offices first learned something was wrong when they received unsolicited faxes on March 31. Those faxes also had a cover page that read "HANDALA HACK" in the sender line and contained a letter addressed to U.S. and European security officials. The faxes appear to have been sent from a compromised fax machine belonging to a separate out-of-state government entity, which shows that attackers can use one victim's fax infrastructure to target others. The group then claimed to have sent tens of thousands of similar faxes to organizations across the country to publicize the breach.


This follows the pattern described in the Election Security Exchange's March 3, 2026, advisory: Iranian-aligned actors targeting local government systems to project capability and sow distrust. Handala also gained national attention in March 2026 after claiming to have broken into FBI Director Kash Patel's personal email. The group appears to be expanding to smaller, less-protected local government targets. A fax server used by a county office is not a glamorous target. That is exactly the point.

Why this matters

Most faxes today do not travel over a traditional phone line. They go through cloud services, online fax platforms, or multi-function office printers connected to your network. CISA has noted that fax transmissions are unencrypted by design and that cloud fax services should be treated as fully internet-connected systems, not as secure phone-based communications. Many state laws permitting fax ballot return were written when fax meant a dedicated phone line. That assumption no longer holds.

 

Fax is still a permitted method for military and overseas (UOCAVA) voters to return their ballots in roughly 31 states. In some places, it is the only electronic return option available.

 

Election offices should be aware of the specific risks this incident highlights:

  • You do not have to be the direct target. A breach of a shared fax provider, or a compromised fax machine at another local government office, can expose ballot selections, and potentially how a voter voted, since UOCAVA voters generally send forms identifying themselves with the ballot, or other voter information that passes through the same system.

  • Your fax machine is an inbound attack surface. This incident showed that compromised fax infrastructure can be used to send threatening or manipulative content to other offices. Election staff should know what to do when something unexpected arrives by fax.

  • Cloud fax carries internet-level risk. If your office uses an online or cloud fax service for UOCAVA ballot return, treat it like any other internet-facing system: know who manages it, when it was last updated, and whether it is monitored.

A reminder about the bigger picture: Iranian-aligned actors are not just looking for high-value targets. They look for any system that is internet-connected, outdated, or forgotten. Fax servers. Old networked printers. Unused vendor portals. Systems that have not been updated in months because nothing has gone wrong yet. This is a good moment to walk through the technology your office relies on, including the ones you rarely think about, and ask: Does anyone own the security of this? If the answer is unclear, that is where to start.

What you can do now

These steps are recommended by CISA, FBI, and Election Security Exchange to help election offices address fax-related risk and strengthen their overall security posture.

  • Find out exactly what fax setup your office uses. Is it a standalone phone-line machine, a networked multi-function device, or a cloud service? The answer changes your risk profile significantly.
  • If you use a cloud or online fax service for any election purpose, confirm who manages it, when it was last updated, and whether it is included in your incident response plan.
  • If you receive an unsolicited fax claiming to be from a hacker group, or one with threatening or unusual content, do not engage with it. Set it aside, notify your IT contact, and then report it to your local law enforcement and to the FBI's Internet Crime Complaint Center at IC3.gov.  If you are a local election official, contact your state election office. If you are a state election official, consider notifying NASS and NASED. If you have an existing relationship with your local FBI field office, contact them directly.
  • Make sure staff who handle faxed ballots or election documents know what a suspicious fax looks like and who to call. Fax should be part of your security training, not just email and network threats.
  • Take a few minutes to think about your less-used systems. Old equipment, infrequently used software, vendor portals, and third-party services can all be entry points. If a system connects to the internet and has not been reviewed recently, add it to your list.
LinkedIn
YouTube
Email
Website

Copyright © 2026 Election Security Exchange. All rights reserved. TLP:CLEAR

 

You are receiving this email because you subscribed to the Election Security Exchange Alerts & Advisories.

 

Find this useful? Pass it along and invite other election teams to subscribe.
Subscribe

Election Security Exchange

712 H Street NE, Suite 2456

Washington, DC, 20002, United States

Unsubscribe Manage Preferences