A hacking group allegedly backed by the Iranian government has recently targeted individuals associated with the campaigns of President Joe Biden and former President Donald Trump, tech giant Google has confirmed.
In an Aug. 14 blog post, Google’s Threat Analysis Group (TAG), which acts as its cybersecurity and threat intelligence arm, said the hacking group—known as APT42—is linked to Iran’s Islamic Revolutionary Guard Corps.
The group consistently targets “high-profile individuals in Israel and the United States,” Google said.
Those targets include current and former government officials, political campaigns, diplomats, individuals who work at think tanks, and nongovernmental organizations (NGOs), and “academic institutions that contribute to foreign policy conversations,” according to the tech giant.
TAG noted it has detected and disrupted a “small but steady cadence” of APT42’s credential phishing activity during the current U.S. presidential election cycle.
Those phishing attacks, which took place in May, targeted the personal email accounts of roughly a dozen individuals affiliated with Biden and Trump, as well as individuals associated with their respective campaigns, according to the blog post.
Google’s TAG said it has blocked “numerous” attempts by APT42 to log in to the personal email accounts of the targeted individuals and also warned the individuals who were targeted.
The company also reset any compromised accounts, updated detections, disrupted malicious Google Sites pages, and conducted other efforts to dismantle the group’s infrastructure.
Hackers Access Email Account
However, Google said the group managed to successfully gain access to the personal Gmail account of a “high-profile political consultant.”
It did not name the consultant, but said it reported the incident to the FBI in July and continues to cooperate with the agency.
TAG also noted that it continues to observe “unsuccessful attempts” from APT42 to compromise the personal accounts of individuals affiliated with Democratic presidential candidate Vice President Kamala Harris.
APT42 is also known as “Crooked Charms” and “TA453,” according to a separate blog post published in 2022 by the American cybersecurity firm Mandiant, a subsidiary of Google.
The cyber-espionage group’s operations date back to at least 2015, and the group typically conducts surveillance operations and collects information against individuals and organizations of “strategic interest,” to the Iranian government, Mandiant said.
In its latest blog post, Google said the group “heavily targeted” users in Israel and the United States between February and late July.
“In the past six months, the U.S. and Israel accounted for roughly 60 percent of APT42’s known geographic targeting, including the likes of former senior Israeli military officials and individuals affiliated with both U.S. presidential campaigns,” the tech giant said.
“These activities demonstrate the group’s aggressive, multi-pronged effort to quickly alter its operational focus in support of Iran’s political and military priorities.”
Attacks on US, Israel Have ‘Intensified’
Google said that APT42 “intensified” its targeting of users based in Israel in April 2024; with the group seeking out people with connections to the Israeli military and defense sector, as well as diplomats, academics, and NGOs, according to the company.
The hacking group uses various tactics in email phishing campaigns to victims, including hosting malware, phishing pages, and malicious redirects, Google said.
The group also typically abuses services such as Google Drive, Gmail, Dropbox, OneDrive, and others for these purposes, it said.
This is not the first time that Google has disrupted alleged hacking attempts by APT42 ahead of the critical election period.
During the 2020 U.S. presidential election cycle, for example, the company said the group, along with another Chinese attacker group, had also targeted high-profile individuals using credential phishing emails and emails containing tracking links.
The blog post from Google expands on a recent Microsoft that revealed suspected Iranian cyber intrusion in this year’s U.S. presidential election.
The Trump 2024 presidential campaign recently said it had been targeted in a cyberattack and sensitive documents were stolen.
Trump blamed “foreign sources hostile to the United States” for the hacking attack.
The Associated Press contributed to this report.
From The Epoch Times