CNN
—
Two years before Iranian hackers targeted Donald Trump’s campaign this summer, they used a similar ploy to target a former administration official and onetime confidant of John Bolton, Trump’s national security adviser and a prominent Iran critic.
After infiltrating the person’s email account, the hackers sent what appeared to be a harmless request to a group of U.S.-based Iranian hawks, asking them to review a book the person was supposedly writing about Iranian and North Korean nuclear programs.
“I am close to completing the manuscript and have started asking experts like yourself to review the chapters,” reads the June 2022 email, a copy of which was obtained by CNN.
The email enticed the six recipients to click on a link that promised to take them to the purported manuscript. In reality, it contained malicious code that would have given the hackers unfettered access to the targets’ computers.
Shortly after sending the email, the person notified the FBI and warned colleagues in a subsequent email of a “pretty sophisticated hack” impersonating her.
A CNN investigation into the hacking group, which experts believe is working on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), reveals never-before-seen details about the hackers’ multi-year operation, including how they targeted former members of the Trump and Biden administrations.
In addition to the June 2022 incident, CNN has also learned that earlier this year, the same hacking group targeted a former senior Biden administration diplomat in the Middle East with a nearly identical phishing scheme.
In April, the former diplomat received a seemingly innocuous email from someone identifying himself as a researcher at a prominent Washington, D.C., think tank.
“Dear Ambassador,” the email began, according to a copy obtained by CNN. The message went on to explain that the think tank was studying “the evolving dynamics of the Israeli-Palestinian situation” and would be “honored if you could dedicate an hour of your time to a discussion.”
It is unclear whether the hack was successful. Contacted by CNN, the former diplomat declined to comment. But access to his email account would likely provide a valuable foothold from which hackers could target Democratic Party foreign policy circles through a similar impersonation ploy.
Iran’s quiet but relentless efforts to hack current and former U.S. officials across multiple administrations have drawn new attention from U.S. intelligence agencies in recent weeks, as Iran has become one of the most aggressive foreign powers trying to sow discord ahead of the 2024 presidential election.
In June, the same IRGC-linked hacking group successfully targeted Trump’s campaign team, stealing internal campaign documents and sharing them with media outlets. The hackers hacked the email account of Roger Stone, a longtime Trump ally, to target campaign staff, CNN reported.
Iran’s adoption of a strategy of hacking and information leaks that Russia used to target the 2016 election has put U.S. officials on alert about what Tehran might do next.
“The hacking and the leaks clearly demonstrate not only cyber capabilities but also an intent to inflame social divisions and use them against us,” a senior US official who follows the activity told CNN. “Iran is increasingly willing to do that, and we must remain resilient in the face of those efforts.”
Iran has consistently denied U.S. allegations of cyberattacks, including the accusation by U.S. intelligence agencies that it carried out a hack and leak targeting the election.
U.S. intelligence officials are on high alert in part because it is unclear when Iran might use the access it may have gained to the email accounts of current and former U.S. officials, whether to gather more intelligence, leak documents or try to sow discord through other tactics.
Iran’s unpredictability in cyberspace is an unknown quantity to U.S. officials, who have blamed Tehran for a cyberattack on Boston Children’s Hospital in 2021 and for creating a website in 2020 that threatened U.S. election officials with photos of their faces.
Iran’s hacking program is not as advanced as that of China, Russia or the United States, but Tehran has built a capable cadre of cyber operators who have regularly attacked critical infrastructure in the United States and the Middle East over the past 15 years, experts say.
A senior FBI counterintelligence official shed light on Iran’s modus operandi last year in a rare interview.
“With Iran having a much smaller presence in the United States than its rivals and adversaries, because of sanctions and the state of relations, it has to be more creative in how it gathers the information it seeks,” the FBI official told CNN. “So cyberspace is a critical tool for it.”
By going after the emails of journalists, think tanks and former U.S. officials, the hacking group has shown “their desire to know what’s not being published … what’s being hidden,” said Josh Miller, a former FBI analyst who now tracks Iranian hacking groups for the email security firm Proofpoint. “Because that has great intelligence value.”
Hackers and Assassins
Some of Iran’s cyber activities have a darker side, going well beyond traditional espionage. Hackers linked to the IRGC appear to have a mandate to collect data that the Iranian regime might find useful in planning kidnappings and assassinations.
In November 2022, the head of Britain’s MI5 spy agency gave a rare public speech in which he revealed that at least 10 “potential threats” from Iran to kidnap or kill people in the UK had taken place that year. At least one of those plots was facilitated by Iranian hacking efforts, a British official told CNN.
Masih Alinejad, a US-based Iranian journalist who has been the target of multiple assassination plots, told CNN last year that she receives an almost daily stream of text messages and emails from hackers trying to break into her phone.
“They don’t leave me alone at all because I have the largest social media platform among all the opposition leaders, all the opposition activists,” Alinejad said.
Other Iranian expatriates have said they were targeted by hackers suspected of being linked to the IRGC, but have declined to speak publicly out of fear for their safety or privacy.
The former Trump official who was hacked in 2022 to target Iran critics was hacked just months before the Justice Department charged an IRGC member with trying to kill Bolton. One possible reason the hackers targeted the former official was to try to track Bolton’s movements as part of the assassination plot, Proofpoint’s Miller told CNN.
Bolton is just one of several Trump administration alumni — including the former president himself — whom Iran allegedly plotted to kill in revenge for the 2020 US assassination of top IRGC commander Qasem Soleimani (Iran denies the assassination plot allegations).
According to a study by the Washington Institute for Near East Policy, the number of Iranian foreign operations in various countries (defined as plots to kidnap, kill, surveil, or intimidate targets) has increased since Soleimani’s death. The think tank counted 115 such operations since Soleimani’s death, more than half the total number of operations since the founding of the Islamic Republic of Iran in 1979.
“In recent years, Iranian cyber activities have expanded from simple espionage to gathering actionable intelligence on the locations and movements of individuals that Iran seeks to target,” Matthew Levitt, director of the counterterrorism and intelligence program at the Washington Institute for Near East Policy, told CNN. “That typically involves creating fake identities and hacking into computers so they can sit on systems for extended periods of time and collect intelligence.”
This election cycle, the FBI has already investigated an Iranian hack of the Trump campaign and an alleged Iranian plot to kill the candidate himself. While these activities are separate, U.S. officials believe they come from a particularly desperate regime.
“Iran views this year’s elections as particularly important in terms of the impact they could have on its national security interests, increasing Tehran’s propensity to try to shape the outcome,” U.S. intelligence and security agencies, including the FBI, said in an Aug. 19 statement.
