Iranian Hacking, Plots Against US Accelerated After Soleimani Death in 2020

(Bloomberg) -- US charges against three Iranians for allegedly hacking Donald Trump’s presidential campaign illustrate what cybersecurity experts say are increasingly advanced, and aggressive, tactics from the Persian Gulf adversary.

Most Read from Bloomberg

The indictment unsealed Friday accuses three members of Iran’s Islamic Revolutionary Guard Corps of engaging in a yearslong operation to compromise email accounts and gather sensitive data from US government officials. The alleged hackers – Masoud Jalili, Seyyed Ali Aghamiri and Yasar Balaghi – often impersonated American government personnel in phishing emails that enabled them to access other accounts, the charges said.

The attackers allegedly used a fake nonprofit called Democracy in the Middle East, posing as the chief executive officer, to invite victims to attend a supposed conference in Dubai via an email laced with malware. Much of the cyber activity outlined in the indictment allegedly originated from eight IP addresses located in a nondescript office building in Tehran.

Targets included officials in the White House, the National Security Council, both chambers of Congress, the departments of Defense and State, intelligence agencies, members of the media and an array of international officials. Hackers successfully compromised victims’ accounts on numerous occasions, the indictment stated.

“This is part of the broader aggressive activity we’re seeing from Iran, from Russia, from China, are part of a very complex, diverse and aggressive foreign malign influence effort that we are seeing from our adversaries in this election cycle,” US Deputy Attorney General Lisa Monaco said in a Bloomberg Television interview on Friday.

Iran’s Permanent Mission to the United Nations didn’t respond to a request for comment. The country previously has denied conducting malicious cyber activity. The alleged hackers couldn’t immediately be reached for comment.

Iranian hackers have tried to meddle in US elections before. In 2020, for instance, they obtained or attempted to obtain US voter information, sent threatening emails to voters and spread disinformation online, according to the Office of the Director of National Intelligence.

The Islamic Republic’s willingness to use cyber tools as a geopolitical weapon has only increased since then, fueled in part by a 2020 drone strike killed Iran’s Qassem Soleimani, commander of the IGRC’s elite Quds Force, said Yigal Unna, who served as director general of Israel’s National Cyber Directorate until 2022.

In an August posting, Microsoft Corp. researchers explained how one Iranian group had launched phony news sites targeting US voters on both ends of the political spectrum, while another was laying the groundwork for more extreme activities, including intimidation and inciting violence. Yet another Iranian group compromised the account of a county-level government official in a swing state.

Charles Carmakal, chief technology officer at Mandiant Consulting, explained another recent episode involving Iranian agents, in which they impersonated journalists in order to schedule calls with people who had access to sensitive information. When unwitting victims tried logging into the video call, their credentials and passwords would be swiped by the Iranian spies, he said.

Within minutes, the attackers would then try to log into the person’s account.

“It was just a really spooky situation,” he said of the victims’ experience. “Some of them physically live in the Middle East right now. And the closer the proximity to Iran, the more nervous people get.”

Iranian hackers have long targeted Israel, and those attacks have intensified since Hamas militants conducted a surprise attack on Israeli civilians on Oct. 7, 2023, according to security researchers. In the weeks after the attack, a group allegedly linked to the IGRC claimed to have stolen 700,000 medical records about Israelis, including soldiers, and published them on the Telegram messaging app, for instance.

“They’re aiming and learning and advancing on the learning curve of causing damage and wiping out systems, and they’re targeting the US at least as much as they do Israel, because in their strategic eyes, Israel is the small devil, a nuisance, while the US, is the big devil,” said Unna. “It’s not something the American public should discount.”

In one case, an Iranian counterintelligence operation sought to identify spies by using social media profiles to spread fake job recruitment websites that seemed to be from Israel, Google researchers said in August. The accounts masqueraded as Israeli hiring managers, then asked recipients to provide personal information that then was transmitted to suspected IRGC hackers.

“The collected data may be leveraged to uncover human intelligence operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations,” researchers wrote at the time.

--With assistance from Margi Murphy, Jamie Tarabay and Kailey Leinz.

Most Read from Bloomberg Businessweek

©2024 Bloomberg L.P.