Exclusive: Inside Iran’s cyber intrusion that has US officials on edge prior to the 2024 election
CNN
—
Prior to the breach of Donald Trump’s campaign this summer, Iranian hackers carried out a similar scheme targeting a former administration official and ex-confidant of John Bolton, Trump’s ex-national security adviser and vocal Iran critic.
Having gained access to the individual’s email account, the hackers sent a seemingly innocent request to a group of pro-US officials critical of Iran, asking them to review what was claimed to be a book the person was writing about nuclear programs in Iran and North Korea.
An email dated June 2022, which CNN obtained a copy of, stated, “I am close to finishing the manuscript and have begun asking experts like yourselves to review the chapters.”
The email urged the recipients to click on a link that purportedly led to the manuscript, but it actually contained malicious code that would grant hackers unrestricted access to their computers.
Shortly after sending the email, the individual alerted the FBI and cautioned colleagues in a subsequent email about a “highly sophisticated hack” impersonating them.
A CNN examination of the hacking syndicate, believed to operate on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), offers new insights into the hackers’ multiyear campaign, including their focus on former members of both the Trump and Biden administrations.
In addition to the June 2022 incident, CNN also uncovered that earlier this year, the same hacker group targeted a former senior diplomat from the Biden administration in the Middle East using a nearly identical phishing tactic.
In April, the ex-diplomat received an apparently harmless email from an individual claiming to be a scholar at a well-known DC-based think tank.
Beginning with “Dear Ambassador,” the email, as per a CNN-acquired copy, detailed the think tank’s research on the “evolving dynamics of the Israel-Palestinian situation” and requested the ex-diplomat to allocate time for a discussion.
The success of the hacking endeavor remains uncertain. When contacted by CNN, the ex-diplomat opted not to provide any comments. However, gaining access to their email account could serve as a crucial entry point for the hackers to target Democratic foreign policy circles through a similar impersonation ruse.
Fomenting discord
The subtle yet persistent Iranian campaign to hack present and past US officials in various administrations has garnered renewed scrutiny from US intelligence agencies lately, with Iran emerging as one of the most assertive foreign actors endeavoring to stir discord before the 2024 presidential election.
In June, the same IRGC-affiliated hacker collective successfully penetrated the Trump campaign, pilfered internal campaign documents, and disseminated them to media outlets. These hackers compromised the email account of long-time Trump associate Roger Stone to target campaign personnel, as reported by CNN.
The utilization of a hack-and-leak strategy by Iran, akin to the one Russia employed to impact the 2016 election, has put US officials on high alert regarding Tehran’s potential future actions.
A senior US official monitoring the situation told CNN, “By conducting a hack-and-leak, Iran is exhibiting not just cyber capabilities but also an intent to fuel societal divisions and exploit them against us. Iran appears increasingly willing to do so, and we must stand strong against such endeavors.”
Contrary to US accusations of cyberattacks, Iran has consistently denied involvement, including the US intelligence agencies’ allegations of conducting a hack-and-leak targeting the election.
US intelligence officials are apprehensive due to the uncertainty of when Iran might leverage any gained access to the email accounts of current and former US officials, whether for further intelligence gathering, document leaks, or other discord-sowing tactics.
The lack of predictability in Iran’s cyberspace activities is a major concern for US officials, who have attributed a cyberattack on Boston Children’s Hospital in 2021 to Tehran and highlighted Iran’s creation of a website in 2020 that menaced US election officials with bull’s-eyes superimposed over their facial photos.
Although Iran’s hacking capabilities are not as sophisticated as those of China, Russia, or the US, experts suggest that Tehran has developed a skilled group of cyber operatives that have consistently targeted critical infrastructure in the US and the Middle East over the past fifteen years.
A top FBI counterintelligence official shed light on Iran’s operational tactics in a rare interview last year.
Discussing Iran’s reliance on cyber operations, the FBI official shared with CNN, “Due to sanctions and the state of US relations, Iran has a smaller presence than [other US rivals and adversaries], which forces them to employ more innovative methods to gather the desired information. Hence, cyber operations are a critical tool in their arsenal.”
By targeting the email exchanges of journalists, think tank experts, and former US officials, the hacking group has revealed a keen interest in uncovering unpublished information, as noted by Josh Miller, a former FBI analyst who now monitors Iranian cyber groups at the email security firm Proofpoint. “Such information holds significant intelligence value,” he explained.
Cyber criminals and operatives
Some of Iran’s cyber activities have taken on a darker tone beyond standard espionage, with hackers affiliated with the IRGC seemingly tasked with gathering data that could be utilized for potential kidnapping and assassination schemes by the Iranian regime.
In a rare public address in November 2022, the head of the UK’s MI5 intelligence agency disclosed that there were at least 10 reported “potential threats” from Iran to abduct or eliminate individuals in the UK that year, with at least one plot reportedly aided by Iranian hacking operations, as per a UK official interviewed by CNN.
Masih Alinejad, a US-based Iranian journalist targeted in several assassination and abduction plots, revealed to CNN that she faces a constant barrage of text messages and emails from hackers attempting to breach her phone security.
Alinejad expressed, “Given that I possess the largest social media platform among opposition leaders and activists, the hackers persistently target me to gain access.”
While some Iranian expatriates claim to have been targeted by hackers linked to the IRGC, they refrain from speaking publicly due to concerns over their safety and privacy.
The former Trump official targeted by hackers in 2022 to silence critics of Iran was also targeted previously just a few months before a member of the IRGC was charged by the Justice Department for attempting to eliminate Bolton. Proofpoint’s Miller explained to CNN that one possible motive behind targeting the ex-official was to monitor Bolton’s movements as part of the assassination conspiracy.
Bolton is just one among numerous former Trump administration members — including the ex-president himself — who Iran allegedly conspired to eliminate in retaliation for the 2020 US strike that killed the top IRGC commander Qasem Soleimani (Iran denies the claims of assassination plot.)
The count of Iranian “external operations” in different nations (including schemes for abduction, assassination, surveillance, or intimidation of targets) has sharply risen following Soleimani’s death, as per a report by the Washington Institute for Near East Policy. The research institution documented 115 such instances since Soleimani’s demise, which is over half the total number of operations since the establishment of the Islamic Republic of Iran in 1979.
Matthew Levitt, who heads the counterterrorism and intelligence program at the Washington Institute for Near East Policy, informed CNN that, “In recent years, Iranian cyber activities have expanded beyond mere espionage to gathering actionable intelligence on the whereabouts and movements of individuals targeted by Iran. This usually involves the creation of false identities and breaching into computer systems to stay undetected for extended periods for intelligence collection.”
During this election season, the FBI has probed both an Iranian cyber attack on the Trump campaign and an alleged Iranian conspiracy to assassinate the presidential candidate himself. Although distinct incidents, US authorities believe they stem from one deeply desperate regime.
“Iran views this year’s elections as particularly crucial in terms of the potential impact on its national security interests, heightening Tehran’s determination to influence the outcome,” US intelligence and security agencies along with the FBI stated in an August 19 release.
About Author
