Two years before Iranian hackers breached Donald Trump’s campaign this summer, they used a similar ploy to target a former administration official and onetime confidant of John Bolton, Trump’s national security adviser and prominent Iran critic.
After infiltrating the person’s email account, the hackers sent what seemed like a harmless request to a group of fellow US-based Iran hawks, asking them to review a supposed book the person was writing about Iranian and North Korean nuclear programs.
“I am close to finishing the manuscript and have begun asking experts like yourselves to review the chapters,” read the email from June 2022, a copy of which was obtained by CNN.
The email encouraged the half-dozen recipients to click a link that promised to take them to the supposed manuscript. Instead, it contained malicious code that would have granted the hackers unfettered access to the targets’ computers.
Not long after the email was sent, the person notified the FBI and warned colleagues in a subsequent email of a “pretty sophisticated hack” that was impersonating them.
A CNN review of the hacking group, which experts believe works on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), reveals previously unreported details of the hackers’ multiyear operation, including how they have targeted former members of both the Trump and Biden administrations.
Along with the June 2022 incident, CNN has also learned that earlier this year, the same group of hackers targeted a former Biden administration senior diplomat in the Middle East with a nearly identical phishing scheme.
In April, the former diplomat received a seemingly innocuous email from someone who introduced themselves as a scholar at a prominent Washington, DC, think tank.
“Dear Ambassador,” the email began, according to a copy obtained by CNN. The message went on to explain that the think tank was researching the “evolving dynamics of the Israel-Palestinian situation” and would “be honored if you could spare an hour of your time for a discussion.”
It’s unclear whether the hacking effort succeeded. Reached by CNN, the ex-diplomat declined to comment. But access to their email account would likely provide a valuable foothold from which the hackers could target Democratic foreign policy circles through a similar impersonation scheme.
The quiet but relentless Iranian effort to hack current and former US officials across multiple administrations has attracted fresh attention from US intelligence agencies in recent weeks, as Iran has emerged as one of the most aggressive foreign powers trying to sow discord ahead of the 2024 presidential election.
In June, the same group of IRGC-linked hackers successfully targeted the Trump campaign, stole internal campaign documents and shared them with news organizations. The hackers breached the email account of longtime Trump ally Roger Stone to target campaign staff, CNN has reported.
Iran’s embrace of a hack-and-leak playbook that Russia used to target the 2016 election has US officials on high alert for what Tehran might do next.
“Conducting a hack-and-leak clearly shows not just cyber means, but an intention to stoke societal divides and use them against us,” a senior US official tracking the activity told CNN. “Iran is increasingly willing to do so, and we must remain resilient to those efforts.”
Iran has consistently denied US allegations of cyberattacks, including US intelligence agencies’ accusation that it had conducted a hack-and-leak targeting the election.
US intelligence officials are on edge partly because it’s hard to know when Iran would use the access it may have gained to current and former US officials’ email accounts, whether to collect more intelligence, leak documents or try to sow discord through other tactics.
Iran’s sheer unpredictably in cyberspace is a wild card for US officials, who have blamed Tehran for a cyberattack on Boston Children’s Hospital in 2021 and for creating a website in 2020 that threatened US election officials with bull’s-eyes over photos of their faces.
Iran’s hacking program is not as advanced as that of China, Russia or the US, but Tehran has built up a capable cadre of cyber operatives who have regularly attacked critical infrastructure in the US and the Middle East over the last decade and a half, according to experts.
A senior FBI counterintelligence official shed light on Iran’s modus operandi last year in a rare interview.
“Because Iran has a much smaller presence than [other US rivals and adversaries] in the US due to sanctions and due to the state of relations, they have to be more creative about how they collect the information they’re looking for,” the FBI official told CNN. “So cyber is a key tool for them.”
In going after the email correspondence of journalists, think tankers and former US officials, the hacking group has shown “a desire to know what doesn’t get published … what’s being held back,” said Josh Miller, a former FBI analyst who now tracks Iranian hacking groups at email security firm Proofpoint. “Because that has a lot of intelligence value.”
Hackers and assassins
There is a darker element to some Iranian cyber activity that goes well beyond traditional espionage. Hackers linked to the IRGC appear to have a broad mandate to collect data the Iranian regime might find useful for kidnapping and assassination plots.
In November 2022, the head of the United Kingdom’s MI5 spy agency made a rare public speech in which he revealed there had been at least 10 “potential threats” by Iran to kidnap or kill people in the UK in that year alone. At least one of those plots was aided by Iranian hacking efforts, a UK official told CNN.
Masih Alinejad, a US-based Iranian journalist who has been the target of multiple assassination plots, told CNN last year that she receives a near-daily stream of text messages and emails from hackers trying to break into her phone.
“They’re not leaving me alone at all because I have the biggest social media platform among all opposition leaders, all the opposition activists,” Alinejad said.
Other Iranian expatriates said they were targeted by suspected IRGC-linked hackers but declined to go on the record for fear of their safety or privacy.
The ex-Trump official who was hacked in 2022 to target critics of Iran was hacked just months before the Justice Department charged a member of the IRGC with trying to kill Bolton. One possible reason the hackers targeted the ex-official was to try to track Bolton’s movements as part of the assassination plot, Proofpoint’s Miller told CNN.
Bolton is just one of multiple Trump administration alumni — including the former president himself — whom Iran has allegedly plotted to kill to avenge the 2020 US killing of top IRGC commander Qasem Soleimani (Iran denies the assassination plot allegations.)
The number of Iranian “external operations” in various countries (defined as plots to kidnap, kill, surveil or intimidate targets) has surged since Soleimani’s killing, according to a study by the Washington Institute for Near East Policy. The think tank tallied 115 such operations since Soleimani’s death, more than half the total number of operations since the founding of the Islamic Republic of Iran in 1979.
“In recent years, Iranian cyber activity has broadened from espionage alone to efforts to collect actionable intelligence on the location and movements of people Iran seeks to target,” Matthew Levitt, head of the counterterrorism and intelligence program at the Washington Institute for Near East Policy, told CNN. “This typically involves creating false personae and penetrating computers to be able to sit in systems over long periods of time and collect intelligence.”
This election cycle, the FBI has already investigated both an Iranian hack of the Trump campaign and an alleged Iranian plot to kill the candidate himself. While separate activities, US officials believe they come from a singularly desperate regime.
“Iran perceives this year’s elections to be particularly consequential in terms of the impact they could have on its national security interests, increasing Tehran’s inclination to try to shape the outcome,” US intelligence and security agencies, including the FBI, said in an August 19 statement.