Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Iranian Hackers Indicted for Cyberattacks on Trump Campaign

Feds: 3 Defendants Acted on Behalf of Iran’s Military to Interfere With US Election
Iranian Hackers Indicted for Cyberattacks on Trump Campaign
From left, Masoud Jalili, Seyyed Ali Aghamiri and Yasar Balaghi (Images: U.S. Department of Justice)

The U.S. government indicted and sanctioned several Iranian hackers Friday for allegedly stealing Trump campaign materials and interfering in the 2024 presidential election.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Federal prosecutors said three people linked to Iran's Islamic Revolutionary Guard Corps compromised people connected to political campaigns and attempted to weaponize the stolen campaign material by releasing it to the media. Masoud Jalili, Seyyed Ali Aghamiri and Yasar Balaghi allegedly used VPNs, malware and spoofed logins pages to gain access to victim's computers and steal information.

“These hack-and-leak efforts by Iran are a direct assault on the integrity of our democratic processes,” said Assistant Attorney General Matthew G. Olsen. “Iranian government actors have long sought to use cyber-enabled means to harm U.S. interests. This case demonstrates our commitment to expose attempts by the Iranian regime or any other foreign actor to interfere with our free and open society.”

The Department of Treasury sanctioned Jalili for hack-and-leak operations and spear-phishing to access and leak sensitive campaign data, with the intent of manipulating the election process. Treasury additionally sanctioned six other Iranians for intimidating voters by stealing their information and spreading disinformation during the 2020 U.S. presidential election.

The Department of State is offering up to $10 million for information on Jalili, Aghamiri and Balaghi, the Iranian Revolution Guard's interference in U.S. elections, or associated individuals and entities. The government portrayed the hacking operation as retaliation for the January 2020 assassination of Qasem Soleimani, the longtime commander of the Iranian Revolutionary Guard's Qods Force.

How the Iranian Hackers Got In, Expanded Access

The hacking campaign began in January 2020 and intensified in May 2024 after the group gained access to personal accounts of key officials for a U.S. presidential candidate and used the access to take internal documents and sensitive emails. The candidate is not identified in the 37-page indictment, but is understood to be former President Donald Trump based on prior statements from the U.S. government (see: FBI Confirms Iranian Hack Targeting Trump Campaign).

The hackers created fraudulent personas to impersonate trusted individuals like government officials and organizations, and obtained the credentials for Trump campaign officials via spearphishing, the indictment said. Hackers sent malicious attachments or links in emails that downloaded malware onto the victim's computers, providing hackers with remote access to compromised devices.

Jalili, 36, Aghamiri, 34, and Balaghi, 37, allegedly used static IP addresses and VPNs to hide their actual locations, allowing them to conduct operations without being easily traced back. Once a system was compromised, the trio used cloud services to host their malware and hacking infrastructure, ensuring they could continue their attacks even after the initial breach.

The first phase of the Iranian operation was focused on stealing emails and documents from the Trump campaign in May 2024, prosecutors allege. Then in late June, the hackers began engaging in a "hack-and-leak" operation, where they intended to weaponized the stolen campaign material by leaking it to the media as well as individuals associated with the campaign of U.S. President Joe Biden.

5 Trump Campaign Officials Had Personal Accounts Compromised

Five Trump campaign officials had their personal accounts compromised between May and August of this year, according to prosecutors. This includes: a former political consultant whose two personal email accounts were compromised; an official whose compromise gave the hackers access to sensitive campaign information; and an attorney engaged in legal communication with the campaign team.

By breaching the former political consultant and campaign official, the hackers were able to steal debate preparation documents as well as discussions about potential vice-presidential candidates, prosecutors said. In June, the hackers use the former political consultants email account to send a phishing email to another high-level Trump campaign official, though this particular attempt was unsuccessful.

On July 22, 2024, Iranian hackers emailed multiple media outlets stating they had access to confidential campaign information, including vice-presidential campaign materials. In July and August, prosecutors said Iranian hackers attempted to persuade reporters by publish damaging information by offering stolen emails from the Trump campaign. They distributed more stolen information as August processed.

Iranian hackers relied on spearphishing, fake domains and persona accounts as part of a methodical, sustained effort to infiltrate sensitive U.S. institutions, according to prosecutors. Their operations were not only about stealing information but also about leaking that information in a deliberate attempt to sway public opinion and destabilize the U.S. electoral process, officials said.

“This indictment alleges a serious and sustained effort by a state-sponsored terrorist organization to gather intelligence through hacking personal accounts so they can use the hacked materials to harm Americans and corruptly influence our election,” said U.S. Attorney for the District of Columbia Matthew Graves. “The detailed allegations in the indictment should make clear to anyone who might attempt to do the same that the Justice Department has the ability to gather evidence of such crimes."


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.