This post is also available in:
עברית (Hebrew)
On Wednesday, Google released a threat analysis confirming that Iranian government-backed hackers targeted the election campaigns of the two opposing US presidential candidates Kamala Harris and Donald Trump, as well as Israel and Israeli Targets.
The hacker group, named APT42, is associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) and is a known actor that typically targets high-profile users in Israel and the U.S. In the past six months, the group targeted Israeli officials, including past and present military and government officials, political campaigns, diplomats, and more. Further, they targeted individuals affiliated with the U.S. election on both sides of the spectrum. Both presidential candidates confirmed in the past week to have been attacked.
APT42 employs various tactics in its email phishing campaigns, utilizing services like Google Sites, Dropbox, and OneDrive to host malware, phishing pages, and malicious redirects. They often exploit these platforms to distribute their attacks, such as using Google Sites to create deceptive pages, including one that falsely appeared as a petition from the Jewish Agency for Israel calling for the end of the conflict. Google has actively worked to counter APT42 by resetting compromised accounts, issuing warnings, updating detection mechanisms, disrupting malicious pages, and adding harmful domains to the Safe Browsing blocklist, effectively dismantling parts of the group’s infrastructure, as well as suspending several accounts associated with APT42.
Targeting the Presidential Election
Google stated that this is not the first time APT42 has attempted to target the U.S. presidential elections and that they disrupted the group’s efforts to target the Biden and Trump campaigns during 2020 as well.
In the current election cycle, despite some successful high-profile attempts, Google was able to thwart a stream of APT42’s phishing attacks, which have targeted personal email accounts of key individuals affiliated with both Biden and Trump.
Google states to have continued observing unsuccessful attempts from APT42 to compromise personal accounts of individuals affiliated with President Joe Biden, Vice President Harris, and former President Trump, and alerted campaign officials about increased foreign state actor activity and the need for enhanced security measures.
Google continues to monitor and block APT42’s attempts to compromise the personal accounts of individuals connected to both presidential campaigns. In the statement, Google said that APT42 is sophisticated and persistent and that they show no signs of stopping.
The US State Department issued a warning regarding the consequences of election interference by Iran.
