Advertisement

U.S. government charges three Iranians in Trump campaign hack 

The individuals allegedly used spearphishing and malware to target the accounts of “dozens” of current and former U.S. officials. 
Former U.S. President Donald Trump during the National Guard Association of the United States' 146th General Conference & Exhibition at Huntington Place Convention Center on Aug. 26 in Detroit, Michigan. (Photo by Emily Elconin/Getty Images)

The Department of Justice unsealed charges against three Iranian nationals Friday for their alleged involvement in hacking  Donald Trump’s presidential campaign.

Masoud Jalili, Seyyed Ali Aghamiri and Yaser Balaghi are charged with conspiracy to obtain information from a protected computer, fraud, aggravated identity theft, wire fraud, providing material support to a terrorist organization, and aiding and abetting in an offense against the United States.

According to an indictment filed Sept. 26 in the District Court for the District of Columbia, the three individuals were tasked by Iran’s Revolutionary Guard Corps with carrying out a “wide-ranging hacking campaign” using social engineering and spearphishing to target the online accounts of current and former U.S. government officials, individuals associated with U.S. political campaigns, members of the press and nongovernmental organizations.

FBI Director Christopher Wray described the alleged crimes carried out by the three Iranian hackers as part of “an attempt to sow discord and undermine our democracy.”

Advertisement

“Let’s be clear what we’re talking about here: attempts by a hostile foreign government to steal campaign information from one presidential candidate and then shopping around both to that candidate’s opponent and the media,” Wray said. “And while there’s no indication that any of the recipients of the stolen campaign information actually replied, Iran’s intent was clear: to sow discord and shape the outcome of our elections.”

According to court documents, on or around May 23, the hackers unsuccessfully attempted to log in to the email account of an individual (“Victim 10”), spurring the email provider to issue a password recovery code. The hackers then used IRGC infrastructure and a static IP address to access the email account of Victim 10, which was used to compromise the personal account of an official at an unnamed U.S. presidential campaign.

Those details match up with the hack-and-leak operation targeting the Trump campaign revealed earlier this year and later confirmed by U.S. intelligence agencies. Victim 10 is never explicitly identified as Roger Stone in the indictment, but is described as “a former, informal political consultant to the presidential candidate of U.S. presidential campaign 1.” The account compromise and proximity to the Trump campaign align with statements Stone has made confirming his email accounts were compromised. 

Alongside the indictments, the U.S. Treasury Department announced sanctions against seven Iranian nationals for their roles in targeting this year’s  elections, as well as those held in  2020. Those sanctions are levied against workers at Emmennet Pasargad, an Iranian cybersecurity company at the heart of the 2020 election interference operation. 

The State Department also announced a reward of up to $10 million for information about the people involved in or who supported the operation. A cybersecurity advisory signed by the FBI, U.S. Cyber Command — Cyber National Mission Force, Department of Treasury and the U.K.’s National Cyber Security Centre shared details on the group’s tactics and mitigations for their activity.

Advertisement

A spokesperson for the Permanent Mission of the Islamic Republic of Iran to the United Nations did not immediately respond to a request for comment Friday. The spokesperson has repeatedly denied Iran’s interference in the 2024 presidential election. 

The indictment offers a more complete picture of the alleged breadth of the targeting operation carried out against the campaigns. Starting in May, the hackers managed to compromise two email accounts belonging to an informal political consultant to one of the presidential candidates, the personal email account for an official on one of the campaigns, the personal email account of an attorney representing one of the presidential candidates, and a former U.S. State Department official who was an adviser to a presidential campaign suspended prior to May. 

All told, the operation targeted “dozens of senior, current and former prominent public officials,” including senior officials on the National Security Council, department and agency heads, their deputies and ambassadors. Officials with the White House, the Departments of Justice, Defense and State, the CIA, the National Security Agency and staff at the U.S. House and Senate were all targeted in the scheme, though not all were successfully compromised.

The hackers created fake email accounts impersonating U.S. officials, former U.S. officials and family members, such as the spouse of a sitting U.S. Supreme Court Justice, to interact with targets. They used a mixture of spearphishing and malware to compromise their accounts and maintain persistent access. They also used virtual private networks and static IP addresses from two Iranian internet service providers to further mask their location and identities. 

In addition to furthering the Iranian government’s efforts to undermine confidence in the U.S. electoral system, the indictment claims the hacks were retribution for the killing of former IRGC and Quds Force commander Qasem Soleimani in 2020. One of the victims (“Victim 1”) was described as a senior State official at the time of Soleimani’s death. 

Advertisement

As president, Trump pursued a series of hardline policies towards Iran, including the assassination of Soleimani, pulling out of a multilateral agreement on Iran’s nuclear program that was negotiated under the Obama administration and increasing sanctions on the country as part of the administration’s “maximum pressure” campaign. The prospect of Trump’s return to the White House next year has made this election cycle a high-stakes affair for Iranian leaders.

“Iran perceives this year’s elections to be particularly consequential in terms of the impact they could have on its national security interest, increasing Tehran’s inclination to try to shape the outcome,” a senior FBI official speaking on background told reporters in a briefing.

Some of the IT infrastructure used in the hacks was set up years before the actual attacks. According to the indictment, the hackers in 2018 set up an account with a U.S.-based email and internet domain provider while posing as an Israeli politician based in Tel Aviv.

Previous operations tied to the group include compromising email accounts for “numerous persons and entities” between January 2020 and May 2024, according to federal prosecutors, including people from multiple U.S. government agencies, former officials for the United Nations and Afghanistan, an unnamed foreign government’s intelligence service, three members of the media, and at least five employees of nongovernmental organizations across three Washington, D.C.-based think tanks.

Recent reports indicate that “Robert,” the anonymous individual who contacted reporters in an attempt to pass on the stolen documents, has remained active since the operation was publicized. Officials said they continue to work with victims and targeted organizations to harden their cybersecurity practices but can’t be “fully confident” that Iranian actors aren’t still lurking on some of the accounts.

Advertisement

“When it comes to advanced persistent threat actors, you can never be fully confident that you have eradicated them from an environment,” the FBI official said. “And so we remain fully engaged with the victims in this case, which include presidential campaigns as well as individuals associated with those campaigns, to breed resilience among their systems and their various email accounts.”

John Hultquist of Google’s Threat Intelligence Group said APT42, the IRGC hacking group linked to the Trump campaign hack, has a rich history of targeting the U.S. and its allies around the world. 

“They control multiple contractors who have carried out many of the most audacious cyber incidents we have seen in the Middle East, Europe, and the U.S., including activity during this and previous presidential election cycles,” Hultquist said. “This activity is just one example of their tactics, which are constantly evolving.”

This story was updated Sept. 27. 2024, with comments from a senior FBI official.

Latest Podcasts