Iran-Backed APT42 Targets US Presidential Campaigns: A Detailed Look

Google’s Threat Analysis Group (TAG) has confirmed that an Iranian government-backed threat actor, APT42, is targeting Google accounts associated with the US presidential campaigns of President Biden, Vice President Harris, and former President Trump. This cyber-espionage group, linked to Iran’s Islamic Revolutionary Guard Corps, has been engaging in sophisticated attacks aimed at high-profile individuals in both the US and Israel.

Methods and Tactics of APT42

APT42 employs a range of tactics to gain unauthorized access to cloud-based accounts, including:

  • Phishing Pages: Deceptive sites designed to steal login credentials.
  • Malicious Redirects: Links that lead to phishing pages.
  • Hosted Malware: Software designed to infiltrate and damage systems.

Specific Examples

One phishing attempt involved a Google Sites page masquerading as a petition from Jewish activists. This page redirected users to phishing sites via an ngrok link when they attempted to sign the petition.

Targets and Impact

APT42 has actively targeted personal emails of campaign affiliates, successfully compromising accounts, including that of a high-profile political consultant, reportedly Roger Stone. Microsoft also reported that a former senior advisor to the Trump campaign had their account compromised.

Google’s TAG continues to monitor and mitigate these threats by resetting compromised accounts, issuing warnings, and blacklisting phishing domains.

Techniques to Bypass Security

APT42’s strategy often involves moving targets to less secure communication channels like Signal, Telegram, or WhatsApp, where multifactor authentication might not be in place. They use:

  • Legitimate-looking PDFs: To build trust before sending phishing links.
  • Phishing Kits: To harvest credentials from major email providers.
  • Application-Specific Passwords: To maintain access and bypass multifactor authentication.

Implications and Broader Threat Landscape

APT42’s activities echo the tactics used by Russian hackers in the 2016 election, now expanded to Iranian operatives. Publications have reported receiving documents from the Trump campaign, potentially stemming from these phishing efforts, although no stories have been published based on this information.

John Hultquist of Google-owned Mandiant highlights the need to broaden the scope of threat monitoring beyond Russia, noting the presence of multiple state-sponsored cyber teams targeting US political figures.

Conclusion

Google’s TAG’s revelations underscore the persistent and evolving threat posed by state-sponsored cyber espionage. As election security remains a critical issue, both campaign teams and individuals must adopt robust security measures, such as Google’s Advanced Protection Program, to mitigate these sophisticated cyber threats.