Iran is once again in the spotlight for cyber espionage activities targeting the U.S. presidential election. Google has issued a warning about Iranian nation-state hackers, specifically APT42, who have been conducting a phishing email campaign aimed at campaign and election officials in the United States.
According to Google, the cyberespionage campaign started in May and June and involved sending phishing emails to individuals affiliated with both the reelection campaign for President Joe Biden and the campaign of Republican nominee Donald Trump. The goal was to gain access to the email accounts of key political figures and gather sensitive information.
The Iranian hackers managed to successfully compromise the personal Gmail account of a high-profile political consultant. Reports indicate that the personal email account of Roger Stone, a longtime Republican and Trump operative, was also compromised. Despite these successful infiltrations, Google confirmed that the hacking attempts have not stopped and continue to target individuals associated with President Biden, Vice President Harris, and former President Trump.
Mandiant, a threat intelligence company owned by Google, revealed that APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization. Microsoft has also been tracking similar hacking activities by a group known as Mint Sandstorm. This group was responsible for hacking the email account of a former senior adviser to a presidential campaign and attempting to send spear-phishing emails to high-ranking officials within the campaign.
The Trump campaign acknowledged that hackers had stolen multiple documents, including a 271-page vetting report on Trump’s vice presidential running mate, JD Vance. Despite these alarming revelations, the Iranian mission to the United Nations denied any involvement in targeting presidential campaigns, stating that the Iranian government has no intention to interfere in the U.S. presidential election.
This recent cyber espionage campaign is part of a broader pattern of foreign election interference efforts aimed at undermining U.S. global standing and influencing U.S. voters. The U.S. Cybersecurity and Infrastructure Security Agency issued a warning earlier this year about the increasing intensity of foreign election interference activities. In 2021, two Iranian nationals were indicted for a cyber-enabled campaign designed to intimidate and influence American voters during the 2020 presidential election.
Iranian hackers have a history of targeting U.S. infrastructure and have been motivated by various factors, including U.S. support for Israel. These cyber attacks have led to significant disruptions, as seen in a recent cyberattack on the Central Bank of Iran, which caused widespread disruptions to the country’s banking system.
Apart from targeting presidential campaigns, APT42 has also intensified its phishing campaigns against Israeli users. The group has been targeting individuals with connections to the military and defense sector, as well as diplomats, academics, and NGOs. By impersonating legitimate organizations and using typosquatted domains, APT42 has been able to trick users into divulging sensitive information.
The hacking group has sophisticated tools at its disposal, including a credential harvesting tool called GCollection, LCollection, or YCollection, which can steal multifactor authentication codes and recovery codes. They also use a browser-in-the-browser phishing kit called DWP to carry out their attacks efficiently.
Overall, the Iranian cyber espionage campaign underscores the ongoing threat posed by nation-state hackers and the importance of cybersecurity measures to protect against such attacks. The FBI is actively investigating these incidents to ensure the security and integrity of the U.S. presidential election process.