Trump, Biden, Harris targeted in Iran phishing cyberattacks

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Iran using spear-phishing attacks against President Trump, President Biden, and Vice President Harris

Iran is quickly becoming a dangerous cyber threat to the United States Presidential Election Campaigns across party isles, according to new reports from Google, Microsoft, and multiple news outlets. If that wasn’t enough, they were just banned by OpenAI for using ChatGPT for creating AI-assisted influence operations, generating disinformation on volatile political and ideological topics.

According to The Wall Street Journal, the Federal Bureau of Investigation (FBI) has been investigating sophisticated spear-phishing cyberattacks by Iranian hackers against United States Presidential Election Campaigns since June.

Former President Trump is blaming Iran for “hacking his campaign” and even praises the FBI for their efforts in responding to the incident.

Yet, until a new report from Google’s Threat Analysis Group (TAG) released last week, no independent third party had confirmed the scope or hack attempts. The new Google report confirms the same Iranian hacking group known as “APT42” is targeting former President Trump, President Biden, and Vice President Harris.

The attacks date back to the 2020 United States Presidential Election cycle, targeting then-President Trump and the Biden-Harris presidential campaigns.

Who is APT42?

According to cybersecurity research and response firm Mandiant, Advanced Persistent Threat 42 (APT42) is an Iranian state-sponsored cyber-espionage group. Mandiant also believes that APT42 operates for the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO).

Prior cybersecurity incidents attributed to APT42 confirm the group’s intent to deploy invasive malware on targets’ devices to track, perform espionage, record audio conversations, and exfiltrate data. Targets include government officials and journalists who pose a threat to the Iranian government regime.

APT42 TTPs for luring targets in phishing campaigns

Iranian hackers associated with APT42 are effective by luring targets to establish trust using multiple platforms to exchange files before finally delivering a malicious payload.

APT42 hackers frequently build trust with their targets over chat platforms such as WhatsApp, Telegram, or Signal before attempting to grab their target's valid credentials.

Google’s TAG reports that APT42 would include PDF attachments in emails or utilize legitimate virtual meeting links from providers like Google, Skype, and others. Upon joining the virtual meeting platform, a linked landing page on attacker-controlled platforms like a Google Site, OneDrive, or Dropbox had a malicious payload.

Other times, credential harvesting toolkits such as GCollection, LCollection, YCollection, or DWP were utilized to gather credentials from a target that uses a Google, Hotmail, or Yahoo account.

Google’s TAG observes that APT42 hackers would perform extensive research on their targets, using “open-source marketing and social media research tools to identify personal email addresses that might not have default multi-factor authentication or other protection measures” that corporate accounts typically enforce.

Once APT42 gains access to the targeted account, they would add recovery email accounts (that APT42 controls) and use features that allow applications that do not support multi-factor authentication, like application-specific passwords.

Google’s Advanced Protection Program revokes and disables these application-specific passwords in Gmail, protecting users from these attacks. The Advanced Protection Program also supports using a passkey for stronger user authentication.

APT42 targeting the United States Presidential Election Campaigns

Google has assessed that APT42 deployed spear-phishing attacks on approximately a dozen individuals tied to former President Trump's and President Biden's 2024 election campaigns. APT42 also targeted both campaigns in the 2020 Presidential Election cycle.

Targets also include current and former officials in the U.S. government.

APT42 attempted to attack the Biden-Harris campaign before President Biden stepped down from his reelection campaign and endorsed current Vice President Harris as the Democratic nominee.

The Trump campaign first blamed Iran for hacking his 2024 election campaign when an internal campaign vetting document on J.D. Vance, his running mate, was leaked to members of the press.

Trump claims that the hacks occurred against his campaigns because “Iran is no friend of mine, a lot of bad signals get sent.”

APT42 is banned from OpenAI for using ChatGPT to influence elections

Separately from Google and Microsoft’s reports, OpenAI has banned APT42 from its platforms for using ChatGPT to create disinformation and influence operations against the U.S. Presidential campaigns.

OpenAI found that APT42 used ChatGPT to generate content on numerous topics to spread disinformation or sway public opinion on political issues. The content was then spread across fake news outlets and social media platforms.

Divisive content was created to influence both Democratic and Republican campaign issues.

However, the majority of social media posts that OpenAI detected were not effective, generating minimal likes, shares, or comments.

Iran has denied any involvement in the hacks, according to state media.

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our blog:

• Microsoft Report: Iranian Cyber Operations Targeting U.S. Presidential Election

• New Cybersecurity Unicorn: Chainguard Raises $140M at $1.12B Valuation

• Review: Apple iPad Pro 11″ M4 with Magic Keyboard

New from our favorite blogs and journalists:

• Trump, Biden, Harris targeted in Iran phishing campaign, Google finds (Axios)

• FBI Is Investigating Suspected Iranian Hack Attempts Against Trump and Biden Campaigns (The Wall Street Journal)

• What We Learned From the Cyberattack on Change Healthcare (The Wall Street Journal)

• Those Online Accounts You No Longer Use? For Your Own Safety, Get Rid of Them (The Wall Street Journal)

• Sam Altman’s Worldcoin Is Battling With Governments Over Your Eyes (The Wall Street Journal)

• Iranian group used ChatGPT to try to influence US election, OpenAI says (The Guardian)

Today’s Cyber Wall of Shame

Palo Alto Networks didn’t use common sense when they used real women to model and pose as “lamp women” at this year’s Black Hat event in Las Vegas. The company has since apologized and backtracked on the display. More on this PR disaster…

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

P.S. - Do you want to start a newsletter yourself?
You can with beehiiv. Create one today with a free trial.
Disclaimer: The Breach Report may contain affiliate links. Read our Advertising policy page.