Google Confirms Iranian Hackers Behind US Presidential Hacks

Alphabet’s Google has warned that Iranian hackers have tried to infiltrate the personal email accounts of roughly a dozen people linked to President Joe Biden and former President Donald Trump.

The warning came on Wednesday from Google’s Threat Analysis Group, and follows a similar warning last week from Microsoft Threat Intelligence of numerous Iranian cyber intrusions in this year’s US presidential election, that included a hack of Republican presidential nominee Donald Trump.

The FBI is already investigating that breach but Iran denied involvement.

The Microsoft advisory last Friday said an Iranian group linked to the Islamic Revolutionary Guard Corps had sent a spear-phishing email in June to a “high-ranking official” on a presidential campaign from the compromised email account of a former senior advisor.

Google warning

Days later and Google’s Threat Analysis Group has issued a similar warning, identifying APT42, an Iranian government-backed threat actor.

Google confirmed the hackers were same as Microsoft had identified, although Redmond refers to the group as Mint Sandstorm.

Google said that since May APT42 has carried out targeted phishing campaigns against Israel and Israeli targets. It also confirmed “recent reports around APT42’s targeting of accounts associated with the US presidential election.”

“Associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), APT42 consistently targets high-profile users in Israel and the US, including current and former government officials, political campaigns, diplomats, individuals who work at think tanks, as well as NGOs and academic institutions that contribute to foreign policy conversations,” stated Google.

“In the past six months, the US and Israel accounted for roughly 60 percent of APT42’s known geographic targeting, including the likes of former senior Israeli military officials and individuals affiliated with both US presidential campaigns,” it stated. “These activities demonstrate the group’s aggressive, multi-pronged effort to quickly alter its operational focus in support of Iran’s political and military priorities.”

In April APT42 apparently intensified their targeting of users based in Israel. They sought out people with connections to the Israeli military and defense sector, as well as diplomats, academics, and NGOs.

Google said it had taken down “multiple APT42-created Google Sites pages that masqueraded as a petition from the legitimate Jewish Agency for Israel calling on the Israeli government to enter into mediation to end the conflict.”

Active hackers

Google confirmed APT42 is still actively targeting people associated with Biden, Trump and Vice President Kamala Harris, who replaced Biden as the Democratic candidate last month.

Other targets include current and former government officials, as well as presidential campaign affiliates.

“As we outlined above, APT42 is a sophisticated, persistent threat actor and they show no signs of stopping their attempts to target users and deploy novel tactics,” said Google. “This spring and summer, they have shown the ability to run numerous simultaneous phishing campaigns, particularly focused on Israel and the US. As hostilities between Iran and Israel intensify, we can expect to see increased campaigns there from APT42.”

“We also remain vigilant for targeting around the US election and encourage all high-risk individuals including elected officials, candidates, campaign workers, journalists, election workers, government officials, and others to sign up for Google’s Advanced Protection Program,” it concluded.

Both Russia and Iran continue to find themselves isolated internationally, because of their hostile domestic and foreign activities.