U.S. agencies attribute Trump campaign hack to Iran

U.S. intelligence institutions attributed the hack against former President Donald Trump's 2024 presidential campaign to Iranian state-sponsored threat actors in a statement published Monday.

The statement, made jointly between CISA, the FBI and the Office of the Director of National Intelligence (ODNI), was shared with TechTarget Editorial Monday evening and referred to a breach against Trump's reelection campaign first reported by Politico on Aug. 10. The publication said it received anonymous emails with documents from inside Trump's campaign; the campaign confirmed a breach the same day.

A week and a half later, the three intelligence agencies jointly attributed this activity to Iran, stating that the breach was part of the nation's plan "to stoke discord and undermine confidence in our democratic institutions."

"The IC [U.S. Intelligence Community] is confident that the Iranians have through social engineering and other efforts sought access to individuals with direct access to the Presidential campaigns of both political parties," the statement read. "Such activity, including thefts and disclosures, are intended to influence the U.S. election process. It is important to note that this approach is not new. Iran and Russia have employed these tactics not only in the United States during this and prior federal election cycles but also in other countries around the world."

Politico said the Trump campaign accused Iran of the hack when it became public, with the campaign citing a Microsoft report about Iranian election interference from Aug. 8.

"Yet another Iranian group, this one connected with the Islamic Revolutionary Guard Corps, or IRGC, sent a spear phishing email in June to a high-ranking official on a presidential campaign from the compromised email account of a former senior advisor," Microsoft's report read. "The email contained a link that would direct traffic through a domain controlled by the group before routing to the website of the provided link. Within days of this activity, the same group unsuccessfully attempted to log into an account belonging to a former presidential candidate. We've since notified those targeted."

In its Monday statement, the agencies said Iran has demonstrated continued interest in gaining access to sensitive U.S. election data and exploiting societal tensions in order to sow chaos.

"In addition to these sustained efforts to complicate the ability of any U.S. administration to pursue a foreign policy at odds with Iran's interests, the IC has previously reported that Iran perceives this year's elections to be particularly consequential in terms of the impact they could have on its national security interests, increasing Tehran's inclination to try to shape the outcome," the statement read. "We have observed increasingly aggressive Iranian activity during this election cycle, specifically involving influence operations targeting the American public and cyber operations targeting Presidential campaigns."

Government officials and cybersecurity experts have called 2024 a particularly significant election year as approximately half of the world's population is expected to vote in a national election of some kind. During the opening keynote at security conference Black Hat USA 2024 earlier this month, European Union Agency for Cybersecurity COO Hans de Vries and the U.K.'s National Cyber Security Centre CEO Felicity Oswald said that although foreign actors have targeted elections their organizations were responsible for this year, the election process was ultimately successful. CISA Director Jen Easterly said during the same session that U.S. election infrastructure "has never been more secure."

On Tuesday, Recorded Future's Insikt Group published research regarding an Iran-nexus group it tracks as "GreenCharlie," which researchers said is conducting phishing attacks at the apparent behest of the IRGC.

"GreenCharlie's victimology includes research and policy analysts, government officials, diplomats, and high-value strategic targets," Recorded Future said. "While Insikt Group has not identified direct evidence of the targeting of US government and political campaign officials, open-source reporting has enabled us to establish a credible link."

CISA, the FBI and the ODNI noted that the recent hack-and-leak attack against the Trump campaign is not a new approach, and that Russian and Iranian state-sponsored actors have used such tactics in prior election cycles to influence the outcomes. In 2020, Iranian hackers made several attempts to disrupt the presidential election process and sow disinformation, including a campaign that sent intimidating emails to swing state voters that falsely claimed to be from the Proud Boys, a far-right group.

Monday's joint statement closed with an affirmation that "protecting the integrity of our elections from foreign influence or interference is our priority." The three agencies advised individuals to use strong passwords, regularly update software, and avoid opening suspicious links or attachments before verifying their authenticity.

"As the lead for threat response, the FBI has been tracking this activity, has been in contact with the victims, and will continue to investigate and gather information in order to pursue and disrupt the threat actors responsible," the agencies said. "We will not tolerate foreign efforts to influence or interfere with our elections, including the targeting of American political campaigns. As an interagency we are working closely with our public and private sector partners to share information, bolster security, and identify and disrupt any threats."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.