When Donald Trump’s presidential campaign publicly declared last week that it had been successfully attacked by Iranian hackers, the news may have initially seemed like a sign that the Middle Eastern country was particularly focused on the candidate it perceived as taking the toughest stance toward its regime. It has since become clearer that Iran has had the Democrats in the crosshairs for their cyber operationsNow, Google’s cybersecurity analysts have confirmed that both campaigns were not targeted solely by Iran, but by the same group of hackers working for Iran’s Revolutionary Guard Corps.
Google’s Threat Analysis Group published a report on Wednesday New report in APT42, a group that Google says has aggressively sought to compromise both the Democratic and Republican campaigns for president, as well as Israeli military, government, and diplomatic organizations. In May and June, APT42, believed to be working in service to Iran’s Revolutionary Guard Corps, or IRGC, targeted a dozen individuals associated with both Trump and Joe Biden, including current and former government officials and individuals associated with both political campaigns. APT42 continues to target Republican and Democratic campaign officials alike, according to Google.
“In terms of intelligence gathering, they’re hitting all sides,” says John Hultquist, who heads threat intelligence at the Google-owned cybersecurity firm Mandiant, which works closely with its Threat Analysis Group. Hultquist notes that equal-opportunity cyberespionage isn’t a surprise, given that APT42 also targeted the Biden and Trump campaigns in 2020. The fact that APT42 targeted a single candidate doesn’t necessarily reflect its preference for a single candidate, he says, but rather the fact that both candidates — Trump and now Vice President Kamala Harris — are of enormous importance to the Iranian government. “They’re interested in both candidates because they’re the individuals who are charting the future of American policy in the Middle East,” Hultquist says.
However, it appears that confidential files from just one campaign were not only successfully breached by the Iranian hackers, but were also leaked to the press, in an apparent repeat of Russia’s 2016 hack-and-leak operation targeting Hillary Clinton’s campaign. Politico, The Washington Post and The New York Times have all said they have been offered documents purportedly taken from the Trump campaign, in some cases by a source known only as “Robert.”
It has not yet been confirmed whether those files were actually compromised by APT42. Microsoft noted Last week, APT42, which it calls Mint Sandstorm, had targeted a “senior presidential campaign official” in June by exploiting a hacked email account of another “former senior adviser” to the campaign. In its new report, Google also notes that APT42 “successfully gained access to the personal Gmail account of a high-profile political consultant.”
While neither company has offered any confirmation as to which individual or individuals may have been successfully hacked by the Iranian group, Trump adviser Roger Stone has revealed who was alerted by Microsoft and then the FBI that his Microsoft and Gmail accounts were compromised by hackers.
