When Donald Trump’s presidential campaign publicly stated last week that it had been successfully targeted by Iranian hackers, the news may have initially seemed like a sign that Middle Eastern country was particularly focused on the candidate whom it perceived to take the most hawkish approach to its regime. It’s since become clearer that Iran has had the Democrats in the sights of its cyber operations, too. Now Google’s cybersecurity analysts have confirmed that both campaigns were targeted not simply by Iran, but by the same group of hackers working in service of Iran’s Revolutionary Guard Corps.
Google’s Threat Analysis Group on Wednesday published a new report on APT42, a group it says has aggressively sought to compromise both the Democratic and Republican campaigns for president, as well as Israeli military, government, and diplomatic organizations. In May and June, APT42, which is believed to be working in service of Iran’s Revolutionary Guard Corps or IRGC, targeted about a dozen people associated with both Trump and Joe Biden, including current and former government officials and individuals associated with the two political campaigns. APT42 continues to target Republican and Democratic campaign officials alike, according to Google.
“In terms of collection, they’re hitting all sides,” says John Hultquist, who leads threat intelligence at Google-owned cybersecurity firm Mandiant, which works closely with its Threat Analysis Group. Hultquist notes that equal-opportunity cyberspying doesn’t come as a surprise, given that APT42 also targeted both the Biden and Trump campaigns in 2020 as well. APT42’s targeting doesn’t necessarily speak to its preference for a single candidate, he says, so much as the fact that both candidates, Trump and now Vice President Kamala Harris, are of enormous significance to the Iranian government. “They’re interested in both candidates because these are the individuals who are charting the future of American policy in the Middle East,” Hultquist says.
Only one campaign, however, appears to have had its sensitive files not only successfully breached by the Iranian hackers but also leaked to the press, in an apparent replay of Russia’s 2016 hack-and-leak operation that targeted Hillary Clinton’s campaign. Politico, The Washington Post and The New York Times have all said they’ve been offered documents allegedly taken from the Trump campaign, in some cases by a source known as “Robert.”
Whether those files were in fact compromised by APT42 remains unconfirmed. Microsoft noted last week that APT42, which it calls Mint Sandstorm, had in June targeted a “high-ranking official on a presidential campaign” by exploiting a hacked email account of another “former senior advisor” to the campaign. Google in its new report also notes that APT42 “successfully gained access to the personal Gmail account of a high-profile political consultant.”
While neither company has offered any confirmation of which individual or individuals may have been successfully hacked by the Iranian group, Trump advisor Roger Stone has revealed that he was alerted by Microsoft and then by the FBI that both his Microsoft and Gmail accounts were compromised by hackers.