When Donald Trump’s presidential campaign publicly stated last week that it had been successfully targeted by Iranian hackers, the news may have initially seemed like a sign that the Middle Eastern country was particularly focused on the candidate whom it perceived to take the most hawkish approach to its regime. It’s since become clearer that Iran has had the Democrats in the sights of its cyber operations, too. Now Google’s cybersecurity analysts have confirmed that both campaigns were targeted not simply by Iran but by the same group of hackers working in service of Iran’s Revolutionary Guard Corps.
Google’s Threat Analysis Group on Wednesday published a new report on APT42, a group it says has aggressively sought to compromise both the Democratic and Republican campaigns for president, as well as Israeli military, government, and diplomatic organizations. In May and June, APT42, which is believed to be working in service of Iran’s Revolutionary Guard Corps (IRGC), targeted about a dozen people associated with both Trump and Joe Biden, including current and former government officials and individuals associated with the two political campaigns. APT42 continues to target Republican and Democratic campaign officials alike, according to Google.
“In terms of collection, they’re hitting all sides,” says John Hultquist, who leads threat intelligence at Google-owned cybersecurity firm Mandiant, which works closely with its Threat Analysis Group. Hultquist notes that equal-opportunity cyberspying doesn’t come as a surprise, given that APT42 also targeted both the Biden and Trump campaigns in 2020 as well. APT42’s targeting doesn’t necessarily speak to its preference for a single candidate, he says, so much as the fact that both candidates, Trump and now Vice President Kamala Harris, are of enormous significance to the Iranian government. “They’re interested in both candidates because these are the individuals who are charting the future of American policy in the Middle East,” Hultquist says.
Only one campaign, however, appears to have had its sensitive files not only successfully breached by the Iranian hackers but also leaked to the press, in an apparent replay of Russia’s 2016 hack-and-leak operation that targeted Hillary Clinton’s campaign. Politico, The Washington Post, and The New York Times have all said they’ve been offered documents allegedly taken from the Trump campaign, in some cases by a source known as “Robert.”
Whether those files were in fact compromised by APT42 remains unconfirmed. Microsoft noted last week that APT42, which it calls Mint Sandstorm, had in June targeted a “high-ranking official on a presidential campaign” by exploiting a hacked email account of another “former senior adviser” to the campaign. Google in its new report also notes that APT42 “successfully gained access to the personal Gmail account of a high-profile political consultant.”
While neither company has offered any confirmation of which individual or individuals may have been successfully hacked by the Iranian group, Trump adviser Roger Stone has revealed that he was alerted by Microsoft and then by the FBI that both his Microsoft and Gmail accounts were compromised by hackers.
Google says it has blocked “numerous” ongoing attempts to log in to the accounts of officials on both campaigns, has sent warnings to the affected individuals, and has worked with law enforcement investigating the attempted breaches. The FBI launched its investigation into the phishing attacks in June, according to the Post.
APT42 has long been one of—or perhaps the—most active Iranian hacking group in the Middle East, Mandiant’s Hultquist says. But the group has been “pretty limited to espionage” in the past, Hultquist notes. He points out, however, that the IRGC as a whole has used its access to victim networks to go far beyond spying in past cases, launching data-destroying disruptive cyberattacks or hacking and leaking emails in so-called “influence operations,” as may have occurred in the case of the Trump campaign. “It’s a reminder that any access obtained for espionage can be used for other means,” Hultquist says.
In its report, Google lays out APT42’s typical phishing operations, which have ranged from directing victims to a fake Google Meet page that tries to trick them into entering their username and password to luring them into a conversation on a messaging platform such as Telegram, WhatsApp, or Signal, where the hackers then send the victim a phishing toolkit designed to intercept their credentials, as well as two-factor authentication codes or account recovery codes. Beyond its presidential campaign targeting, Google says APT42 has also been actively targeting Israeli organizations with phishing websites that impersonate Israeli and Israel-related groups, such as the Washington Institute for Near East Policy, the Brookings Institution, the Jewish Agency, and Project Aladdin.
APT42’s bipartisan political targeting—and its murky connection to hack-and-leak campaigns—should serve as a reminder of how hacking for political influence in US elections has expanded since Russia’s notorious influence operation of 2016, Hultquist says, with effects that are still unfolding. “It’s not just a Russia problem anymore. It’s broader than that,” Hultquist says. “There are multiple teams in play. And we have to keep an eye out for all of them.”