The bad actors behind the hacks of the Biden-Harris and Trump campaigns is an Iranian-backed threat group with a history of running phishing campaigns against high-profile targets in both the United States and Israel, according to Google.

Researchers with the company’s Threat Analysis Group (TAG) wrote that during the current U.S. presidential campaign, they “detected and disrupted a small but steady cadence of APT42’s Cluster C credential phishing activity,” adding that in May and June, the targets included the personal email accounts of about a dozen people affiliated with President Biden and ex-President Donald Trump.

Those targets include both current and former U.S. government officials and people associated with the election campaigns, they wrote in a report. TAG blocked “numerous APT42 attempts” to log into the email accounts of the targeted individuals. Those attempts echoed similar attacks launched by the Iranian group against both the Biden and Trump campaigns during 2020 presidential election cycle, with TAG disrupting those efforts as well.

Google’s latest report comes on the heels of claims by the Trump campaign that it was hacked and internal documents stolen and later shared with The New York Times, Washington Post, and Politico. It later was discovered that the Biden-Harris campaign also was targeted and that the email account of Trump operative Roger Stone was successfully hacked in June and used as a gateway into the Trump campaign’s systems.

“We observed that the [APT42] group successfully gained access to the personal Gmail account of a high-profile political consultant,” the TAG researchers wrote without naming the consultant. “In addition to our standard actions of quickly securing any compromised account and sending government-backed attacker warnings to the targeted accounts, we proactively referred this malicious activity to law enforcement in early July and we are continuing to cooperate with them.”

Iranian government officials have denied they were behind the attacks.

APT42 an Arm of Iranian Government

In the most recent report and an earlier one published in May, TAG researchers said APT42, which is an arm of Iran’s Islamic Revolutionary Guard intelligence organization, is known for using enhanced social engineering methods to gain access to the networks of targets. Those methods include posing as journalists and event organizers in messages to give an air of credibility as they deliver invitations to conferences or offer legitimate documents.

In May, Google said the threat group was targeting Western and Middle Eastern non-governmental organizations (NGOs), media companies, academia, legal services, and activists. However, over the past six months, about 60% of APT42’s targets were in the United States and Israel, including former senior Israeli military officials and people associated with both U.S. presidential campaigns.

Those efforts are continuing, with the email accounts of people affiliated with President Biden, Vice President Kamala Harris, Trump, and their campaigns

“These activities demonstrate the group’s aggressive, multi-pronged effort to quickly alter its operational focus in support of Iran’s political and military priorities,” the TAG researchers wrote.

Multiple Hacking Techniques

APT42 uses tactics like sending phishing links either directly in the body of an email message or as a link in a benign PDF attachment.

“In such cases, APT42 would engage their target with a social engineering lure to set-up a video meeting and then link to a landing page where the target was prompted to login and sent to a phishing page,” they wrote. “One campaign involved a phishing lure featuring an attacker-controlled Google Sites link that would direct the target to a fake Google Meet landing page.”

The bad actors also used other lures, including OneDrive, Dropbox, and Skype. Over the past six months, TAG has disrupted the attackers’ ability to abuse Google Sites in more than 50 similar campaigns, the researchers wrote.

“Another APT42 campaign template is sending legitimate PDF attachments as part of a social engineering lure to build trust and encourage the target to engage on other platforms like Signal, Telegram or WhatsApp,” they wrote. “We expect the attackers would then use these platforms to send a phishing kit to harvest credentials.”

Other vendors also have seen increasingly aggressive campaigns by Iranian groups as the U.S. presidential elections near. In a report last week, Microsoft researchers said they’d detected at least four such threat groups running operations designed to influence the elections. Russia and China have long been considered the top nation-state security threats to U.S. politics, but the Microsoft researchers wrote that “recent activity suggests the Iranian regime – along with the Kremlin – may be equally engaged in election 2024.”