The Iranians who hacked Trump’s campaign possess a significant level of expertise

According to researchers and experts who monitor the Iranian hacking team that undermined the campaign of Republican presidential candidate Donald Trump, the group places surveillance software on the mobile phones of its victims, which allows them to record calls, steal texts, and silently activate cameras and microphones.

The cybersecurity research community refers to the accused Iranian hackers as APT42 or CharmingKitten. They are widely suspected of being affiliated with the Intelligence Organization of the Islamic Revolutionary Guard Corps (IRGC-IO), an intelligence division internal to Iran’s military. Their participation in the U.S. election is significant, according to sources who spoke with Reuters, due to their invasive surveillance strategy against high-value targets in Israel and Washington.

“The idea that they are an organization that has a history of physically targeting people of interest is what makes (APT42) incredibly dangerous,” said John Hultquist, chief analyst at U.S. cybersecurity firm Mandiant. He cited previous research, which revealed that the group was monitoring the cell phones of Iranian activists and protesters. In the aftermath of their hacking, a number of them were either physically threatened or imprisoned in the country.

A spokesperson for Iran’s permanent mission to the United Nations in New York stated in an email that the Iranian government “does not possess or harbor any intent or motive to interfere in the United States presidential election.”

A spokesperson for Trump has stated that Iran is targeting the former president and current Republican candidate due to their disagreement with his policies regarding Tehran.

VERY SPECIFIC

Questions regarding their identity and structure remain, as the APT42 crew that targeted Trump has never been formally identified in U.S. law enforcement indictments or criminal charges. Nevertheless, they are considered a substantial concern by experts.

According to Levi Gundert, chief security officer of the U.S. cyber intelligence firm Recorded Future and a former Secret Service special agent, the IRGC-IO is responsible for gathering intelligence to protect and advance the interests of the Islamic Republic. “They, in conjunction with the Quds Force, are the most influential security and intelligence organizations within Iran.”

British authorities had previously stated that Iran International, a U.S.-based media organization, was the target of physical violence and terror threats by Iranian-linked agents. In March, Recorded Future analysts detected hacking attempts by APT42 toward Iran International.

The hackers frequently employ mobile malware, according to Hultquist, which enables them to “record phone calls, room audio recordings, pilfer SMS (text) inboxes, take images off of a machine,” and gather geolocation data.

Employees were cautioned by Trump campaign officials to prioritize information security in recent months, according to an individual who was privy to the correspondence. According to the individual, who requested anonymity due to his inability to communicate with the media, the message signaled that mobile phones were no more secure than other devices and constituted a significant vulnerability.

There was no response from the Trump campaign to a request for comment. Comments were declined by both the FBI and the Office of the Director of National Intelligence.

Questions regarding the potential intention of the Iranian hacking activity to facilitate physical assaults that are planned for the future were not addressed by the Secret Service. A spokesperson for the Secret Service stated in a statement that they collaborate closely with intelligence community partners to guarantee the “utmost level of safety and security.” However, they were unable to address matters “related to protective intelligence.”

Additionally, APT42 frequently employs sophisticated, email-based social engineering operations to impersonate journalists and Washington think tanks. These operations are designed to entice their intended targets into opening booby-trapped messages, which enables them to take control of systems.

Joshua Miller, a threat analyst at Proofpoint, an email security company, stated that the group’s “credential phishing campaigns are highly targeted and well-researched; the group typically targets a small number of individuals.” Targeting Middle Eastern academics, foreign-policy advisers, reporters with access to sources inside Iran, and anti-Iran activists is a frequent strategy. This has involved the hacking of American defense contractors and western government officials.

For instance, Allison Wikoff, a senior cyber intelligence analyst at PricewaterhouseCoopers, stated that the hackers targeted nuclear workers and U.S. Treasury department officials in 2018, in the vicinity of the United States’ formal withdrawal from the Joint Comprehensive Plan of Action (JCPOA).

The public emergence of APT42 in the ongoing presidential election commenced earlier this month as a result of a report, opens new tab, by Microsoft (MSFT.O), opens new tab, on Aug. 9, which reported that the group was attempting to hack staffers on an unnamed presidential campaign.

According to a blog post authored by Google’s cybersecurity research team, APT42 continues to target campaign officials and former Trump administration figures who are critical of Iran.