Iranian Hacking Group Targets Biden and Trump Campaigns, Confirms Google

APT42, a hacking group allegedly backed by the Iranian government, has targeted individuals associated with the campaigns of President Joe Biden and former President Donald Trump, according to Google’s Threat Analysis Group (TAG). The group, also known as “Crooked Charms” and “TA453,” is linked to Iran’s Islamic Revolutionary Guard Corps and has a history of targeting high-profile individuals in Israel and the United States.

TAG has detected and disrupted APT42’s credential phishing activity during the current U.S. presidential election cycle. In May, phishing attacks targeted the personal email accounts of approximately a dozen individuals affiliated with Biden and Trump, as well as individuals associated with their campaigns. Google has blocked numerous attempts by APT42 to log into the targeted individuals’ personal email accounts and has taken steps to dismantle the group’s infrastructure.

However, APT42 successfully gained access to the personal Gmail account of a high-profile political consultant. Google reported the incident to the FBI in July and continues to cooperate with the agency. Additionally, the group has made unsuccessful attempts to compromise the personal accounts of individuals affiliated with Democratic presidential candidate Vice President Kamala Harris.

APT42’s operations date back to at least 2015, and the group conducts surveillance operations and collects information against individuals and organizations of strategic interest to the Iranian government. In the past six months, the United States and Israel accounted for approximately 60 percent of APT42’s known geographic targeting.

The group’s targeting of individuals in Israel intensified in April 2024, with a focus on people connected to the Israeli military and defense sector, diplomats, academics, and NGOs. APT42 employs various tactics in its email phishing campaigns, including hosting malware, phishing pages, and malicious redirects. The group also abuses services like Google Drive, Gmail, Dropbox, and OneDrive for these purposes.

This is not the first time that Google has disrupted APT42’s hacking attempts. During the 2020 U.S. presidential election cycle, the group, along with another Chinese attacker group, targeted high-profile individuals using credential phishing emails and tracking links.

The recent revelations from Google align with a Microsoft report that revealed suspected Iranian cyber intrusions in this year’s U.S. presidential election. The Trump 2024 presidential campaign also reported being targeted in a cyberattack, resulting in the theft of sensitive documents. Trump attributed the hacking attack to “foreign sources hostile to the United States.”

In conclusion, APT42, backed by the Iranian government, has been actively targeting individuals associated with the Biden and Trump campaigns. Google has taken steps to disrupt the group’s activities and has reported incidents to relevant authorities. The group’s tactics include credential phishing and the abuse of various services for malicious purposes. These attacks highlight the ongoing threat of cyber intrusions in political campaigns and the need for robust cybersecurity measures.