In September, Microsoft reported on cyber-attacks it has detected targeting people and organizations involved in the upcoming November presidential election. According to the report, three groups from Russia, China, and Iran were involved identified as:
- Strontium, operating from Russia, has attacked more than 200 organizations including political campaigns, advocacy groups, parties, and political consultants
- Zirconium, operating from China, has attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community
- Phosphorus, operating from Iran, has continued to attack the personal accounts of people associated with the Donald J. Trump for President campaign
It should be noted that in August 2020, the U.S. Department of Defense named Russia, China, and Iran as the main players which cyber experts are looking at concerning the November election. A US National Security Agency election security specialist reportedly said during a recent panel that “Iran is also getting into the influence game…and is learning from what other adversaries are doing.” A Reuters investigation has found more than 70 websites that push Iranian propaganda to 15 countries, in an operation that cybersecurity experts, social media firms and journalists are only starting to uncover.
Various media outlets and think-tanks previously looked at the Iranian group Phosphorous:
- According to a cybersecurity website, the group is also named APT 35, Charming Kitten and Ajax Security Team. It reportedly works for Iranian Intelligence and has a history of infiltrating government networks of adversaries in the past.
- The Brookings Institute, a U.S. think-tank, noted that Phosphorous has been associated with phishing attacks, in which the email appears to come from an antivirus email but is actually laced with malware.
- In 2019 Reuters noted that over 30 days in August and September, Phosphorous made more than 2,700 attempts to identify consumer accounts, then attacked 241 of them.
- An analysis by the United States Institute of Peace (USIP) said Phosphorous was behind an October 2019 failed attempt to breach accounts connected with President Trump’s re-election campaign as well as the accounts of journalists and U.S. officials.
The same USIP report also named Phosphorous as among five known Iranian hacker groups that also included:
- Izz ad-Din al-Qassam Cyber Fighters – This group claimed responsibility for the DDoS cyberattacks against U.S. financial institutions in September 2012. The same month, Sen. Joe Lieberman claimed that the group was connected to the IRGC’s elite Qods Force.
- APT33 (aka Elfin, Refined Kitten, Holmium) – This group carried out cyber espionage operations against aviation, military, and energy targets in the United States, Saudi Arabia and South Korea. Cybersecurity firm FireEye linked APT33 to the Iranian government.
- OilRig – This group focused on private industry targets outside of Iran, most famously hacking Sheldon Adelson’s Las Vegas Sands Corporation in February 2014. The group was, in turn, hacked by Turla, a Russian FSB-associated group. The Russians used the hijacked group to hack targets in the Middle East and the United Kingdom, according to U.S. and British officials in October 2019.
- Iranian Dark Coders Team – This hacking collective primarily focused on cyber-vandalism. It defaced American and Israeli websites with pro-Hezbollah and pro-Iran propaganda in 2012. The group has not been tied to the Iranian government and may consist of freelancers or criminal elements.
The GIOR reported earlier on FBI indictments of deven Iranian hackers charged in connection with yber intrusions and fraud, vandalism of U.S. websites, and intellectual property theft from U.S. aerospace and satellite technology companies.