Arizona election officials say a hack targeting a statewide online portal for political candidates resulted in the defacement and replacement of multiple candidate photos with the late Iranian Ayatollah Ruhollah Khomeini.
While officials say the threat is contained and the vulnerability has been fixed, they also blasted the lack of support they’ve received from the federal government, claiming the Cybersecurity and Infrastructure Security Agency is no longer a reliable partner in election security under the Trump administration.
Michael Moore, the chief information security officer for Arizona’s Secretary of State, told CyberScoop that his office first became aware that something odd was happening on June 23, while many officials were at a conference. One user managing the candidate portal noticed that one of the candidate images uploaded to the site didn’t “make sense” because it appeared to be a picture of Khomeini. The next day they were notified that candidate profiles going back years had also been defaced with the same picture.
“My first call was to Arizona’s [Department of] Homeland Security,” Moore said. “We started troubleshooting, locked down that portion of the site, and started doing preventative measures to reduce our attack surface.”
Moore said other important systems, such as the statewide voter registration database and its confidentiality system for domestic abuse survivors, are hosted on servers that are segmented from other parts of the network. He said there is no evidence that the attackers “even attempted” to access state voter rolls.
Incident responders determined that the attacker was using the candidate portal to upload an image file containing a Base 64-encoded PowerShell script that attempted to take over the server.
Moore described the affected candidate portal as an older, legacy system that wasn’t designed for security. Unlike many other statewide systems, the candidate portal was explicitly created to accept uploads from the public.
Moore likened the situation to “a village that’s surrounded by a castle; we’ve got a moat, we’ve got a drawbridge, we’ve got a portcullis and guards on the walls.”
“But when our village needs to do business,” he said, “we have doors and windows that are open and an adversary can just walk through … masquerading as a legitimate business.”
The substance and timing of the hack point to someone with pro-Iranian interests. The incident took place the day after the U.S. bombed Iranian nuclear sites, and a Telegram message linked in the defacement promised revenge against Americans for President Donald Trump’s actions.
Moore said they do not have definitive attribution for the attack at this time.
A deteriorating partnership
For years, CISA has coordinated election security between states and the federal government, sharing intelligence on vulnerabilities or hacking campaigns, deploying cybersecurity experts, and assisting with active incidents.
Arizona, through its state DHS, contacted multiple federal agencies about the hack, including the FBI. But CISA was not part of that outreach.
In a scathing statement, Secretary of State Adrian Fontes, a Democrat who has long focused on election security, said that this once-fruitful partnership between CISA and states had been damaged as the agency has been “weakened and politicized” under the Trump administration.
“Up until 2024, CISA was a strong and reliable partner in our shared mission of securing American digital infrastructure, but since then the agency has been politicized and weakened by the current administration,” Fontes said.
Fontes said he personally reached out in a letter to Homeland Security Secretary Kristi Noem months ago in an effort to establish a relationship but was “dismissed outright.”
“Given their recent conduct, and broader trends at the federal level, we’ve lost confidence in [CISA’s] capacity to collaborate in good faith or to prioritize national security over political theater,” he continued. “This is exactly the kind of division that foreign adversaries of Russia, China and Iran seek to exploit. Cybersecurity should never be a partisan issue. When trust breaks down between levels of government, we put our democratic system at risk.”
Since being sworn into power, President Donald Trump and his administration have taken an axe to CISA’s budget and workforce, eliminated regional offices, fired disinformation experts, and drastically reduced the agency’s once-robust support for securing state elections.
Moore doubled down on Fontes’ sentiments, telling CyberScoop “it was easy and natural to work with CISA until 2024.” Under previous administrations he had a litany of CISA employees on speed dial, but “right now, in 2025, we have no [federal] cybersecurity advisors.”
“We will occasionally communicate with CISA at a regional level, but we don’t have that direct level of support” we used to, he said.
Outside of elections, he referenced the massive SharePoint vulnerability disclosed by Microsoft over the weekend as a prime example of CISA’s diminished capacity and willingness to coordinate national responses to major cyber threats.
“We’re effectively trying to recreate the federal government,” Moore said. “In the past, CISA would have led the charge [to coordinate around the SharePoint flaw]. I didn’t get an email from CISA until [Monday] morning warning about the event, and that’s too late. This started on Friday morning and the damage was done by Monday morning.”
CISA did not respond to CyberScoop’s inquiries about the incident in Arizona.
A former senior DHS official told CyberScoop that “there does seem to be a loss of confidence among both private sector and state and local governments with regard to CISA” under the Trump administration.
In particular, the administration change has led to a “deemphasis of CISA in terms of being the primary federal civilian cyber response agency,” the former official continued. Additionally, the agency does not yet have a Senate-confirmed leader and “they’ve lost a lot of talent, mostly on the technical side, like engineering and the technical services division that’s hard to replace,” they added.
The official requested anonymity to speak candidly with CyberScoop about their interactions with DHS.
Further, the lack of action from the federal government on other critical matters related to the agency, like reauthorization of the expiring Cybersecurity Information Sharing Act, have “led stakeholders of CISA to question whether or not it is the same agency they could count on six or seven months ago.”
The official said they believe the administration is looking to change perceptions and expectations around CISA’s mission, as Trump, Noem and others have sharply criticized the agency for its election security work.
“My sense is this is exactly what they wanted, which was a reset of the relationship with CISA and the department, but also how it is perceived and acts in the interagency and beyond,” the official said.“When they say focus the core mission on cyber, to me that says programs of record like EINSTEIN and a lot of emphasis on things like [the Continuous Diagnostics and Mitigation program], resetting the relationship on infrastructure protection and providing more targeted resources for assessments, or cyber hygiene related initiatives,” they continued. “That has yet to make its way through the pipeline, though, and what you have now is kind of a half thought out plan.”
The post After website hack, Arizona election officials unload on Trump’s CISA appeared first on CyberScoop.