Iran’s Islamic Revolutionary Guard Corps is the driving force behind a sophisticated, multipronged effort to digitally disrupt the U.S. presidential election, cybersecurity professionals say.
The IRGC, they say, is relying on groups of high-level specialists in deceptive and covert operations to hack into campaigns and swing-state governments to spread propaganda and trick American voters.
The U.S. intelligence community issued a rare alert Monday saying Iranian cyberattackers sought to pry inside the presidential campaigns of both major political parties and were responsible for efforts to penetrate Republican Donald Trump’s team. Iran has denied any wrongdoing and said the U.S. government must provide evidence for its allegations.
“The Islamic Republic of Iran harbors neither the intention nor the motive to interfere with the U.S. presidential election,” Iran’s mission to the United Nations said in an email. “Should the U.S. government genuinely believe in the validity of its claims, it should furnish us with the pertinent evidence — if any — to which we will respond accordingly.”
American technology companies have compiled extensive data documenting the attempted cyberattacks.
Cybersecurity professionals say Iran is relying on attackers alternatively identified as Mint Sandstorm, Charming Kitten, APT35 and APT42 to hack into campaigns.
Peach Sandstorm, Refined Kitten and APT33 are hackers targeting swing-state governments.
Analysts say the International Union of Virtual Media and Storm-2035 are responsible for efforts to misinform American voters.
Membership in these groups changes often, said Chuck Freilich, senior researcher at Israel’s Institute for National Security Studies. He wrote earlier this year that the shifting associations help blur the lines and camouflage operations.
“The Basij, a paramilitary force under the [IRGC] and that is responsible for domestic order, claims to have 1,000 cyber battalions around the country,” he wrote. “The Basij outsources cyberattacks to some 50 different hacktivist groups, which operate independently, compete for contracts, and have their own modus operandi and targets.”
The web of cyberattackers
Hackers that cybersecurity companies track as various “kittens” are among the groups competing for business, said Mr. Freilich, former deputy national security adviser in Israel.
Microsoft has identified the cyberattacking group Charming Kitten as Mint Sandstorm and assessed that it is run by the IRGC’s intelligence unit.
In a report this month, the technology company said the hackers targeted a high-ranking official of a presidential campaign in June using a compromised account of a former senior adviser.
Microsoft did not identify the target, but the Trump campaign said it had been hacked and its internal documents leaked to U.S. media outlets. It said Iran played a role. Microsoft declined to comment for this article.
This time, Mint Sandstorm attempted to penetrate a campaign using a former adviser’s email. In other instances, hackers have disguised themselves as journalists, according to cybersecurity firm Hive Pro, which has offices in Virginia, India and the United Arab Emirates.
“We have seen as a trend that all the emails which they send introduce themselves as journalists and then from there onwards, they proceed,” said Purvi Garg, head of products at Hive Pro. “This is the trend that we have seen. Not necessarily that all their emails are specific to that but most of them are related to this.”
Microsoft said Mint Sandstorm has been active since at least 2013. In January, it said Google’s Mandiant division refers to the group as APT42.
Google’s Threat Analysis Group said last week that it had disrupted APT42’s attempts to hack into Mr. Trump’s and President Biden’s campaigns in May and June. The APT42 attack targeted “roughly a dozen individuals,” said Google, connecting the malicious cyber activity directly to the IRGC.
Target: Swing states
Iranian hackers are not exclusively interested in the major candidates’ campaigns. Microsoft has observed Peach Sandstorm targeting swing states.
Microsoft links Peach Sandstorm, also known as Refined Kitten and APT33, to the IRGC and said it observed the group compromising a “user account with minimal access permissions at a county-level government in a swing state.”
“Since early 2023, Peach Sandstorm’s operations have focused on strategic intelligence collection … with some targeting of U.S. government organizations, often in swing states,” Microsoft said in its report.
Establishing clear links between hackers and governments is difficult.
In 2017, a Mandiant team said it discovered the user “xman_1365_x” appeared to be involved in the development and use of a technical backdoor created by APT33. Mandiant said the user had ties to the Iranian-controlled Nasr Institute, which has launched attacks against the financial industry.
Information sharing among cybersecurity professionals also helps assemble clues into meaningful digital forensics.
Ms. Garg said Hive Pro collects data, scours the darknet and has an internal team validating information. She said Hive Pro checks with other companies, such as Microsoft, to cross-reference its information.
Last week, OpenAI said information from Microsoft helped investigate an Iranian influence network using its popular chatbot ChatGPT.
“We identified and took down a cluster of ChatGPT accounts that were generating content for a covert Iranian influence operation identified as Storm-2035,” OpenAI said on its website. “We have banned these accounts from using our services, and we continue to monitor for any further attempts to violate our policies.”
The Iranian influence effort created long-form articles for websites posing as liberal and conservative news outlets and generated content for social media under a similar disguise. The content covered various topics, including the U.S. presidential election, the conflict in the Gaza Strip and Israel’s presence at the Olympics.
Other cybersecurity firms have spotted Iran’s covert social media influence efforts. Recorded Future said it observed a campaign affiliated with Iran’s International Union of Virtual Media.
Sean Minor, who investigates influence operations for Recorded Future, said during a recent webinar that IUVM was responsible for a digital campaign to make voters think the attempted assassination of Mr. Trump was fiction.
The Treasury Department sanctioned IUVM in October 2020 for efforts to influence elections. The department said the IUVM was controlled by the IRGC’s Quds Force.
Exposure to Iran’s covert influence efforts is not likely sufficient to stop their agenda. U.S. intelligence officials have branded Iran a “chaos agent” in the upcoming election in contrast with other foreign adversaries such as China, which appears far more cautious and calculating.
Hacking operations and anti-American propaganda are unlikely to be the only items on Iran’s menu for digitally disrupting U.S. elections.
Last month, the FBI and the Cybersecurity and Infrastructure Security Agency warned of potential distributed denial-of-service attacks that could overwhelm election-related websites with traffic as the November contests approach.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.