In a recent report by Google’s Threat Analysis Group (TAG), it was revealed that hackers linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) have been targeting the presidential campaigns of Joe Biden and Donald Trump with phishing attacks. This uptick in malicious activity comes amid heightened tensions between Iran and Israel. Despite the increased security measures, hackers continue to employ sophisticated techniques to steal credentials and infiltrate critical institutions in the U.S. and Israel.
Earlier reports on Iranian cyber activities have consistently highlighted the country’s focus on disrupting U.S. political processes and institutions. However, the scale and precision of these recent attacks indicate a more resolute effort by the IRGC to influence foreign political landscapes. Unlike previous years, when attacks were sporadic, the current findings show a more sustained and concentrated effort, especially focusing on high-profile individuals and organizations.
Targeting Political Campaigns
Google TAG researchers observed “small but steady” efforts by the IRGC to acquire credential information from individuals associated with both Biden and Trump during this election cycle. The report also noted a surge in phishing attempts against Israeli military, defense, and academic institutions from April onwards. This spring and summer, IRGC hackers executed numerous simultaneous phishing campaigns targeting the U.S. and Israel, reflecting escalating hostilities between Iran and Israel.
Hack-and-Leak Operations
Last week, the Trump campaign alleged an attempted hack-and-leak operation by an Iranian persona called “Robert,” claiming inside access to campaign materials. Rob Joyce, former head of cybersecurity at the National Security Agency, warned such operations, reminiscent of Russia’s 2016 election interference, are likely to increase as election day approaches. The IRGC also attempted to steal logins from around a dozen U.S. government officials and individuals connected to the presidential campaigns during May and June.
High-Profile Targets
Google confirmed that the IRGC successfully infiltrated the email of a “high-profile political consultant,” corroborating a report by Microsoft. Intelligence officials have described Iran as a “chaos agent,” with more than half of the IRGC’s geographic targeting focusing on the U.S. and Israel. The hackers employed social engineering and fake Google services like Gmail and Drive, as well as impersonating sites like Dropbox and OneDrive. In one instance, the IRGC posed as journalists to social engineer senior Israeli military officials into providing their credentials.
The IRGC has also imitated renowned organizations such as the Institute for the Study of War and the Brookings Institution using similar website or email domains. These tactics are part of a broader strategy to infiltrate and disrupt critical infrastructure and key political entities.
As the geopolitical climate heats up, cyber defenders must remain vigilant against increasingly sophisticated phishing campaigns. The IRGC’s persistence and evolving tactics highlight the need for enhanced security measures to protect sensitive information and maintain the integrity of political processes. Organizations and individuals alike should stay informed about potential threats and adopt robust cybersecurity practices to thwart such attacks.
