How Iran’s Election Interference Efforts Have Evolved

With Election Day just one month away, security officials focused on nation-state threats are paying close attention to Russia. But cybersecurity experts say that other foreign threats, such as groups linked to the Iranian government, have recently boosted their attempts to interfere in the upcoming presidential election using a variety of tactics.

Iranian hackers—who largely remained quiet during the 2016 election, and historically focused their cyberoperations on regional rivals—have targeted the Trump campaign with malicious phishing emails, while disinformation campaigns traced back to Tehran have focused on discrediting the Trump presidency, according to a study released Thursday by Recorded Future. Just this week, Twitter said it had removed about 130 accounts linked to Iran that were attempting to disrupt the conversation around Tuesday's presidential debate.

The accounts, which were flagged to Twitter by the FBI, had low engagement and were removed quickly, the social media firm said.

Unlike Russia, which is generally considered the greatest foreign threat to the election due in part to widely-reported cyberattacks and disinformation campaigns that Moscow used to target the 2016 and 2018 votes, Iran has different motivations in its election interference. In February, intelligence officials warned lawmakers that Russia was attempting to get President Trump reelected. Iran, on the other hand, is pushing for Trump’s defeat.

“Tehran views a second term for Donald Trump as a detriment to Iran and the Iranian economy,” said a Recorded Future analysis involved in the report, who asked not to be named due to the sensitivity of the research. “The Trump Administration has put pressure on Iran through sanctions” and military actions, such as the targeted drone strike against Iranian General Qassim Suleimani in January.

Prior to 2016, Iran’s cyberoperations were primarily focused on the Middle East and its regional rivals, including Saudi Arabia, Israel, and the Islamic State. Tehran’s efforts to interfere in the 2016 election were limited and largely unsuccessful, according to the report. But since President Trump took office, Iranian cyberoperations have focused on targeting a U.S. audience, according to the analyst. Those efforts have increased as the 2020 election draws closer.

For example, Google reported in June that it found evidence that Iranian threat group APT35 was targeting personal accounts belonging to Trump campaign staff. Last month Microsoft reported that the group, which it calls Phosphorus, was continuing to target the Trump campaign. Both companies said the attacks were detected and stopped, and there is no sign of compromise.

Iran has also emphasized covert disinformation operations aimed at influencing the 2020 U.S. election. Those efforts have centered on U.S.-based social media platforms, including Facebook and Reddit, and many of those platforms have deleted accounts and cracked down on the campaign after it was revealed by organizations including FireEye, Clearsky, and Citizen Lab.

References to Iranian disinformation campaigns have steadily increased in recent years, according to data collected by Recorded Future from sources including hacker forums, threat feeds, news reports, and code repositories. There were 56 such references in 2016, compared to 400 references in 2018 and 2,406 references so far in 2020.