Recently, it was revealed by Donald Trump’s presidential campaign that they were the target of an Iranian hacking effort. Initially, this seemed to emphasize Iran’s focus on Trump, who is known for his stringent stance against the Iranian regime. However, it has since been disclosed that Democratic campaigns have also been under similar cyber surveillance by Iran. Google’s cybersecurity experts have now verified that the same Iranian hacker group, which operates under the aegis of the Revolutionary Guard Corps, targeted both the Republican and Democratic campaigns.
On Wednesday, Google’s Threat Analysis Group released areport on APT42. This report outlines the group’s efforts to infiltrate not only the American political arena—targeting both Democratic and Republican presidential campaigns—but also Israeli military and government sectors in May and June. APT42’s actions, encouraged by the Revolutionary Guard Corps, included attempts to breach the security of around a dozen individuals linked to both Trump and Joe Biden’s campaign teams, along with other former government officials.
According to John Hultquist, head of threat intelligence at Google-owned Mandiant, the indiscriminate targeting by APT42 is noteworthy but not unexpected. The group had similarly targeted the campaigns during the 2020 Presidential race. Hultquist mentioned that the group’s targeting transcends partisan lines and is more about accessing information on prominent figures, like Trump and now Vice President Kamala Harris, key to shaping U.S. policy in the Middle East.
However, only one recent incident disclosed that sensitive data from a campaign was not just compromised but also leaked. This incident mirrors the Russian cyber-attacks during the 2016 elections against Hillary Clinton’s campaign. Notably, prominent publications such as Politico, The Washington Post, and The New York Times have reported being approached with documents purportedly sourced from Trump’s campaign by an individual referred to as “Robert.”
Whether those files were actually compromised by APT42 is still unverified. Microsoft noted recently that APT42, referred to as Mint Sandstorm, had in June targeted a high-level official from a presidential campaign by exploiting the hacked email of a former senior adviser to the campaign. Google’s recent report also indicates that APT42 successfully infiltrated the personal Gmail account of a prominent political consultant.
Both companies have yet to confirm which individuals were actually hacked by the Iranian group, but Trump adviser Roger Stone has revealed that he was notified by Microsoft and then the FBI that both his Microsoft and Gmail accounts were breached by hackers.
Google has blocked numerous attempts to access accounts of officials from both campaigns, has issued warnings to those affected, and has cooperated with law enforcement in investigating these hacking attempts. The FBI initiated its investigation into these phishing attacks in June, as reported by the Post.
APT42 has long been a prominent, and possibly the most prominent, Iranian hacking group in the Middle East, according to Mandiant’s Hultquist. Although primarily engaged in espionage historically, Hultquist highlights that the IRGC has previously used its network access for more aggressive actions, such as launching destructive cyberattacks or hacking and leaking emails in influence campaigns, potentially including those involving the Trump campaign. “It’s a reminder that any access gained for espionage can also be deployed for other purposes,” Hultquist adds.
In a detailed report by Google, it outlines the various phishing tactics employed by APT42, from setting up a bogus Google Meet page seeking users’ credentials to engaging victims through messaging apps like Telegram, WhatsApp, or Signal. Here, APT42 attempts to distribute phishing tools meant to capture the victim’s login details, including two-factor or recovery codes. Google’s findings further reveal APT42’s focus on Israeli targets by creating phishing sites that mimic prominent Israeli entities and organizations with ties to Israel, including the Washington Institute for Near East Policy, Brookings Institution, Jewish Agency, and Project Aladdin.
APT42’s efforts to influence US political scenes through hacking have become a significant concern. According to Hultquist, this illustrates a broadening landscape of political cyber interference beyond Russia’s infamous activities in 2016, highlighting a growing number of groups involved in such operations. “We’re now facing threats from multiple directions and must remain vigilant towards all potential cyber actors,” Hultquist explained.