Google: Iranian hackers targeting affiliates of both US presidential campaigns
Hackers allegedly connected to the government of Iran have ramped up phishing attacks against high-profile individuals in the U.S. and Israel, including several people affiliated with U.S. presidential campaigns.
Over the past six months the group — known as APT42 — has targeted former senior Israeli military officials, diplomats, academics, political entities, and more, according to a new report from Google.
In the U.S., Google said it detected and disrupted “a small but steady” campaign of APT42 credential phishing activity. In May and June, the group’s targets included the personal email accounts of a dozen individuals affiliated with President Joe Biden and former President Donald Trump as well as current and former U.S. government officials.
The attacks targeting people affiliated with Israel accounted for roughly 60% of APT42’s known geographic targeting, “demonstrating the group’s aggressive, multi-pronged effort to quickly alter its operational focus in support of Iran’s political and military priorities,” the researchers said on Wednesday.
To gain the target's trust, APT42 uses sophisticated social engineering techniques, masquerading as legitimate individuals or organizations like The Brookings Institution or the Institute for the Study of War.
In one instance, the group attempted to target former senior Israeli military officials and an aerospace executive by sending emails masquerading as a journalist requesting comment on recent airstrikes.
The hackers’ initial emails often did not contain malicious content — they were meant to engage the recipients in conversation for further compromise, according to the report.
“APT42’s success in credential phishing is the result of persistence and a heavy reliance on social engineering to appear more credible to their targets,” researchers added.
Earlier this week, Trump blamed Iran for an alleged compromise of his campaign email system. “Iran is no friend of mine; a lot of bad signals get sent,” he added.
Trump’s campaign has declined to provide concrete evidence proving the compromise was conducted by Iran and the Washington Post reported that his campaign discovered the attack on its email system earlier this summer but did not report it to law enforcement or publicly disclose it.
In another recent report, Microsoft warned that Iranian hackers have increased their efforts to influence the upcoming U.S. election, attempting to break into the campaign of an unnamed presidential candidate while also creating fake news websites aimed at conservative and liberal voters.
Google said that it continues to observe unsuccessful attempts by APT42 to compromise the personal accounts of individuals affiliated with Vice President Kamala Harris, as well as current and former government officials and individuals associated with both campaigns.
U.S. officials have raised the alarm about Iran’s potential attempts to interfere in U.S. elections through cyberattacks and influence campaigns. Such activity “sends a potent message about their desire to undermine our sovereignty and our democratic process,” Chairman of the House Homeland Security Committee Mark Green in a statement on Thursday.
“The Committee is closely monitoring these incidents and will work with the appropriate agencies and private-sector partners to understand the extent of the intrusions,” Green said. “In the meantime, this news should put us on high alert and remind us to be as proactive as possible.”
The FBI said this week that it is investigating the alleged attack on Trump’s campaign as well as purported attacks on the Biden-Harris campaign.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.