With the U.S. presidential election months away, advanced persistent threat (APT) groups are targeting the campaign staffers of both Donald Trump and Joe Biden in recent phishing attacks.
On Thursday, Shane Huntley with Google’s Threat Analysis Group said on Twitter that two separate phishing campaigns were recently detected. A China-linked APT group targeted Biden’s campaign staff, while an Iran-linked APT targeted Trump’s.
A Google spokesperson confirmed in a statement to Threatpost that in both incidents, the attackers took aim at staffers’ personal emails, and there was no evidence that the attempts were successful.
“We sent the targeted users our standard government-backed attack warning and we referred this information to federal law enforcement,” the spokesperson told Threatpost. “We encourage campaign staff to use extra protection for their work and personal emails.”
Huntley said that the Iran-linked APT targeting Biden’s campaign staff was APT 31 (also known as Zirconium). According to reports, this threat actor is tied to the Chinese government — however, little is known about its tactics and techniques.
Huntley pointed to APT 35 (also known as Charming Kitten) as the group targeting Trump’s campaign staff. The Iran-linked hacking group has been known to use phishing as an attack vector, and in February was discovered targeting public figures in phishing attacks that stole victims’ email-account information. Earlier this year, Microsoft also took control of 99 websites utilized by APT 35 in attacks.
No further information regarding the timeline, scale and lures involved in the campaign phishing emails was shared by Google.
The impacts of a successful phishing attack against presidential campaign staffers could be particularly dangerous as the Nov. 3 elections draw closer, security experts told Threatpost.
“As we have seen in recent history, APT groups targeting political campaigns is nothing new,” Charles Ragland, security engineer at Digital Shadows, told Threatpost. “These groups may be looking to use information that they obtain to sow discord in the country of the ongoing campaign. They may also use it for more traditional intelligence collection to inform other actions. As more and more communication is done online, this trend is likely to continue.”
Election campaigns are a hot spot for cybercriminals looking for these types of information. Last year, a group of hackers tied to Iran attempted to break into accounts associated with the 2020 reelection campaign of President Trump. Researchers from the Microsoft Threat Intelligence Center associated the activity with a group called Phosphorus.
“Mobile phishing has increased as an approach of malicious actors to steal user credentials by tricking users into entering those credentials into fake cloud services portal used by political campaigns,” Chris Hazelton, director of Security Solutions at Lookout, told Threatpost. “There has been a significant increase in mobile phishing attacks among political campaigns.”