Google Confirms Iran-Backed Hacking Group Targeted Emails Linked to Biden, Trump Campaigns

Phishing attacks, which took place in May, targeted the personal email accounts of roughly a dozen individuals affiliated with Biden and Trump, Google said.

A hacking group allegedly backed by the Iranian regime has recently targeted individuals associated with the campaigns of President Joe Biden and former President Donald Trump, tech giant Google has confirmed.

In an Aug. 14 blog post, Google’s Threat Analysis Group (TAG), which acts as its cybersecurity and threat intelligence arm, said the hacking group—known as APT42—is linked to Iran’s Islamic Revolutionary Guard Corps.

The group consistently targets “high-profile individuals in Israel and the United States,” Google said.

Those targets include current and former government officials, political campaigns, diplomats, individuals who work at think tanks, and nongovernmental organizations (NGO), and “academic institutions that contribute to foreign policy conversations,” according to the tech giant.

TAG noted it has detected and disrupted a “small but steady cadence” of APT42’s credential phishing activity during the current U.S. presidential election cycle.

Those phishing attacks, which took place in May, targeted the personal email accounts of roughly a dozen people affiliated with Biden and Trump, as well as people associated with their campaigns, according to the blog post.

Google’s TAG said it has blocked “numerous” attempts by APT42 to log in to the personal email accounts of the targeted individuals and also warned the people who were targeted.

The company also reset any compromised accounts, updated detections, disrupted malicious Google Sites pages, and conducted other efforts to dismantle the group’s infrastructure.

Hackers Access Email Account

However, Google said the group managed to successfully gain access to the personal Gmail account of a “high-profile political consultant.”

It didn’t identify the consultant, but said it reported the incident to the FBI in July and continues to cooperate with the agency.

TAG also noted that it continues to observe “unsuccessful attempts” from APT42 to compromise the personal accounts of individuals affiliated with Democrat presidential nominee Vice President Kamala Harris.

APT42 is also known as “Crooked Charms” and “TA453,” according to a separate blog post published in 2022 by the U.S. cybersecurity firm Mandiant, a subsidiary of Google.

The cyberespionage group, whose operations date to at least 2015, usually conducts surveillance operations and collects information against people and organizations of “strategic interest,” to the Iranian regime, Mandiant said.

In its latest blog post, Google said the group “heavily targeted” users in Israel and the United States between February and late July.

“In the past six months, the U.S. and Israel accounted for roughly 60 percent of APT42’s known geographic targeting, including the likes of former senior Israeli military officials and individuals affiliated with both U.S. presidential campaigns,” the tech giant said.

“These activities demonstrate the group’s aggressive, multi-pronged effort to quickly alter its operational focus in support of Iran’s political and military priorities.”

Vice President and Democrat presidential nominee Kamala Harris speaks during a campaign rally at the Thomas and Mack Center at the University of Nevada–Las Vegas, on Aug. 10, 2024. (Ronda Churchill/AFP via Getty Images)
Vice President and Democrat presidential nominee Kamala Harris speaks during a campaign rally at the Thomas and Mack Center at the University of Nevada–Las Vegas, on Aug. 10, 2024. (Ronda Churchill/AFP via Getty Images)

Attacks on US, Israel Have ‘Intensified’

Google said that APT42 “intensified” its targeting of users based in Israel in April 2024, with the group seeking out people with connections to the Israeli military and defense sector, as well as diplomats, academics, and NGOs, according to the company.

The hacking group uses various tactics in email phishing campaigns to victims, including hosting malware, phishing pages, and malicious redirects, Google said.

The group also usually abuses services such as Google Drive, Gmail, Dropbox, OneDrive, and others for these purposes, it said.

This isn’t the first time that Google has disrupted alleged hacking attempts by APT42 ahead of the critical election period. During the 2020 U.S. presidential election cycle, for example, the company said the group, along with another Chinese attacker group, had also targeted high-profile individuals using credential phishing emails and emails containing tracking links.

The blog post from Google expands on a recent Microsoft report that revealed suspected Iranian cyber intrusion in this year’s U.S. presidential election.

The Trump 2024 presidential campaign recently said it had been targeted in a cyberattack and sensitive documents were stolen.

Trump blamed “foreign sources hostile to the United States” for the hacking attack.

The Associated Press contributed to this report.

 

Leave a Reply