Advertisement

APT42 targeted the Biden and Trump presidential campaigns from May to June, Google researchers found.

The Iranian national flag is seen outside the International Atomic Energy Agency (IAEA) headquarters during the agency’s Board of Governors meeting in Vienna on March 1, 2021. (Photo by JOE KLAMAR/AFP via Getty Images)

Hackers linked to Iran’s Islamic Revolutionary Guard Corps targeted the Trump and Biden presidential campaigns amid increased phishing attacks against U.S. and Israeli officials and institutions, according to a new report from Google’s Threat Analysis Group.

Google TAG researchers saw “small but steady” attempts by IRGC this election cycle to steal credential information from people associated with President Joe Biden and former President Donald Trump. The report also noted an increase in phishing attacks against Israeli military, defense, academic institutions and civil society organizations starting in April.

“This spring and summer, they have shown the ability to run numerous simultaneous phishing campaigns, particularly focused on Israel and the U.S. As hostilities between Iran and Israel intensify, we can expect to see increased campaigns there from APT42,” Google’s report noted, using Mandiant’s threat actor naming convention.

Last week, the Trump campaign alleged that Iran was the source of an attempted hack-and-leak operation by a persona dubbed “Robert” that claimed to multiple media outlets that they had inside access to campaign materials for the Trump campaign. 

Advertisement

Former National Security Agency cybersecurity head Rob Joyce said Sunday at the DEF CON conference in Las Vegas that hack-and-leak operations of that kind — which harken back to the 2016 presidential election and efforts by Russia to sway the election using stolen emails — will likely ramp up as election day draws closer.

From May to June, researchers saw the IRGC attempt to steal logins of “roughly a dozen” former and current U.S. government officials, as well as individuals connected to the presidential campaigns of both Trump and Biden months before he dropped out and was replaced at the top of the Democratic ticket by Vice President Kamala Harris.

Google also confirmed Microsoft’s report last week that the IRGC successfully infiltrated the email of a “high-profile political consultant.”

Iran has been described as a “chaos agent” by intelligence officials and Google’s report noted that the U.S. and Israel combined to make up more than half of the IRGC’s geographic targeting.

The IRGC has been steadily targeting high-profile individuals with connections to Israeli defense, diplomatic and civil society organizations. Hackers used a combination of social engineering and fake Google services masquerading as Gmail, Google Sites or Drive, or other fake sites impersonating Dropbox and OneDrive, the report noted.

Advertisement

In one case, the IRGC attempted to social engineer former senior Israeli military and aerospace officials by acting as a journalist looking for comment on air strikes. The emails would not have malicious links or malware attached, but hackers would try to use the engagement to further trick the target down the line by using a fake landing page where they would be prompted to enter their credentials. 

The state-backed hackers also imitated organizations like the Institute for the Study of War and the Brookings Institution using similar website or email domains, the report found.

Christian Vasquez

Written by Christian Vasquez

Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out:  christian.vasquez at cyberscoop dot com

Latest Podcasts

Government

Technology

Geopolitics