Anika Begay
When Donald Trump’s presidential campaign publicly announced last week that it had been successfully targeted by Iranian hackers, the news may have initially seemed like a sign that the Middle Eastern country was particularly focused on the candidate it believed had the most aggressive approach to its regime. It has since become clearer that Iran also had Democrats in its cyber-operations’ crosshairs. Now, cybersecurity analysts at Google have confirmed that both campaigns were targeted not just by Iran, but by the same hacking group that works for Iran’s Revolutionary Guard Corps.
On Wednesday, Google’s Threat Analysis Group released a new report on APT42, a group it says has aggressively sought to compromise both the Democratic and Republican presidential campaigns, as well as Israeli military, government, and diplomatic organizations. In May and June, APT42, believed to be working for the Iranian Revolutionary Guard Corps (IRGC), targeted about a dozen people associated with both Trump and Joe Biden, including current and former government officials and individuals associated with the two political campaigns. APT42 continues to target both Republican and Democratic campaign officials, according to Google.
“In terms of collection, they’re hitting all sides,” says John Hultquist, who heads threat intelligence at Google-owned cybersecurity firm Mandiant, working closely with its Threat Analysis Group. Hultquist notes that equal-opportunity cyberespionage isn’t surprising, given that APT42 also targeted the Biden and Trump campaigns in 2020. APT42’s targeting doesn’t necessarily speak to its preference for a single candidate, he says, but rather to the fact that both candidates, Trump and now Vice President Kamala Harris, are hugely important to the Iranian government. “They’re interested in both candidates because they’re the guys who are shaping the future of American policy in the Middle East,” Hultquist says.
However, only one campaign appears to have had its sensitive files not only successfully breached by Iranian hackers but also leaked to the press, in an apparent repeat of Russia’s 2016 hack-and-leak operation that targeted Hillary Clinton’s campaign. Politico, The Washington Post, and The New York Times have all said they received documents purportedly from the Trump campaign, in some cases from a source known as “Robert.”
It has not yet been confirmed whether those files were actually compromised by APT42. Microsoft noted last week that APT42, which it calls Mint Sandstorm, targeted a “high-ranking presidential campaign official” in June by leveraging a hacked email account of another “former senior advisor” to the campaign. Google also notes in its new report that APT42 “successfully gained access to the personal Gmail account of a high-profile political consultant.”
While neither company has confirmed which individual or individuals were successfully hacked by the Iranian group, Trump adviser Roger Stone revealed that he was notified by Microsoft and then the FBI that both his Microsoft and Gmail accounts had been compromised by hackers.
