Gone phishin' —

Iran- and China-backed phishers try to hook the Trump and Biden campaigns

It's starting to feel a lot like 2016.

Stock photo of a slip of paper being dropped into a bin marked 2020.

State-backed hackers from Iran and China recently targeted the presidential campaigns of Republican President Donald Trump and Democrat Joe Biden, a Google threat analyst said on Thursday.

The revelation is the latest evidence of foreign governments attempting to gain intelligence on US politicians and potentially disrupt or meddle in their election campaigns. An Iran-backed group targeted the Trump campaign, and China-backed attackers targeted the Biden campaign, said Shane Huntley, the head of Google’s Threat Analysis Group on Twitter. Both groups used phishing emails. There’s no indication that either attack campaign succeeded.

Kittens and Pandas

Huntley identified the Iranian group that targeted Trump’s campaign as APT35, short for Advanced Persistent Threat 35. Also known as Charming Kitten, iKittens, and Phosphorus, the group was caught targeting an unnamed presidential campaign before, Microsoft said last October. In that campaign, Phosphorus members attempted to access email accounts campaign staff received through Microsoft cloud services. Microsoft said that the attackers worked relentlessly to gather information that could be used to activate password resets and other account-recovery services Microsoft provides.

The Chinese group known as APT31, meanwhile, targeted the Biden campaign, Huntley said. The group, which security researchers also call Hurricane Panda, Black Vine, and Zirconium, “is a highly advanced adversary” that in 2014 exploited a zeroday vulnerability in Microsoft Windows, researchers from security firm CrowdStrike said at the time.

Google responds

Huntley said that Google officials sent the campaigns the company’s standard warning that they were targeted by nation-based hacking. The company began the practice in 2012. To protect its sources and methods, Google doesn’t send the notifications immediately and then dispatches them in large batches. Google also referred the matter to law enforcement.

In a statement, a Google spokesman wrote:

We can confirm that our Threat Analysis Group recently saw phishing attempts from a Chinese group targeting the personal email accounts of Biden campaign staff and an Iranian group targeting the personal email accounts of Trump campaign staff. We didn’t see evidence that these attempts were successful. We sent the targeted users our standard government-backed attack warning and we referred this information to federal law enforcement. We encourage campaign staff to use extra protection for their work and personal emails, and we offer security resources such as our Advanced Protection Program and free security keys for qualifying campaigns.

Hacking political parties and campaigns has been a chief concern ever since two Russian hacking groups were caught breaking into the network of the Democratic National Committee in 2016, just ahead of the presidential campaign. The breaches were largely achieved using phishing emails that tricked staff members into entering their passwords into attacker-controlled sites.

Multiple US intelligence agencies later concluded that Russia engaged in a sustained hacking and disinformation campaign with the goal of disrupting the US democratic process and to boost then-candidate Trump's chances of winning the election.

Google provides the above-mentioned Advanced Protection Program, a service that’s designed to protect politicians, election workers, journalists, and other people who are frequently targeted by hackers. The program requires a physical security key to be used as a second factor when logging in to Gmail and other Google services from new devices. APP would have very likely thwarted the 2016 phishing attacks since the mere stealing of passwords is insufficient to gain unauthorized access.

Channel Ars Technica