Every time he opens his email account, every time he receives a text message or a message on WhatsApp, the same anxiety grips Saeid Golkar. The fear of clicking on the wrong link, of falling into the trap of a cyberattack. A second of inattention is enough for hackers to recover all his conversations, his travel history, his calendar, his contacts. “I receive hacking attempts non-stop, in different forms every week,” sighs this Iranian professor in exile in the United States, teaching at the University of Tennessee. Invitation to a fictitious conference, request for an interview with a fake journalist… Their strategy consists of repeating their attempts until one day, tired or distracted, you click on the wrong link. They then recover your entire life. And yet, I am nobody for the Iranian regime!”
In recent years, Iran has made a specialty of online tracking and hacking specific individuals who shape international policy toward the Islamic Republic: academics, journalists, diplomats, activists, and politicians. “Like North Korea, Iran is a failed state, but its budget knows no limits in certain very specific areas: ballistic missiles, nuclear program, cyberwarfare,” Saeid Golkar points out. This summer, the United States discovered the scale of the threat posed by these Iranian hackers, so much so that Tehran has overtaken Moscow in the ranking of threats to American democracy.
A more important meeting for Tehran than its own presidential election
In the spring, intelligence identified hundreds of fake Iranian social media accounts that were encouraging students in major cities to protest support for Israel and the war in Gaza. Microsoft, for its part, uncovered at least five sites posing as American news sites that were actually run from Tehran using artificial intelligence and trying to undermine trust in the functioning of democracy. “The US election matters more to the regime and has more impact on Tehran’s interests than the presidential election in Iran last June,” said Kasra Aarabi, research director at the NGO United Against Nuclear Iran.
That was just the beginning. In late July, a group linked to the Revolutionary Guards, the parallel army under the direct control of the Supreme Leader, managed to hack into Donald Trump’s presidential campaign, sucking up emails and sensitive data, and then transmitting them to American media outlets. According to several sources, the target of the phishing attack was Roger Stone, a long-time adviser to the former president. The press refused to publish these stolen documents, but the show of force was impressive. “Clearly, we are not dealing with interns paid minimum wage in their basement, but with cyber espionage professionals,” insists Alexis Dorais-Joncas, an analyst at the cybersecurity company Proofpoint. “The group behind this attack took the time to study its target and its IT environment. And we don’t know if this attack succeeded on the first intrusion attempt, the tenth or the hundredth.” Kamala Harris’ campaign was also reportedly targeted, apparently without success.
Behind the Trump team hack is a group of hackers known to Western intelligence since at least 2015: APT42. No one knows how many of them there are or where they are. But the links of these hackers to the Revolutionary Guards are clear. All the evidence was provided two years ago by Mandiant, a cybersecurity company bought by Google, which scrutinizes all of APT42’s malicious activities. “This Iranian group is primarily engaged in classic espionage: they siphon off data from individuals without making noise or alarming anyone, so that Iran can access confidential information,” describes John Hultquist, chief analyst at Google Mandiant Intelligence. “Their work allows them to closely monitor people of interest to the Tehran regime. In general, Iranian intelligence services use small, very effective organizations, and not groups with thousands of hackers like other states do.” In 2020, APT42 had already tried to infiltrate the Trump and Biden campaigns, without the information leaking.
This year, Iran is trying by all means to prevent the New York billionaire from returning to power. “For the Islamic Republic, Trump is the worst person who could occupy the White House, so unpredictable is his ‘mad man’ international policy,” says Saeid Golkar. “By comparison, Harris is a much better candidate for Tehran, which knows perfectly well that Trump will do absolutely anything he wants.”
The Republican is also the president who buried the international agreement on Iranian nuclear power in 2018, before imposing unprecedented sanctions on the Islamic Republic. Above all, Trump remains the one who ordered the murder of Qassem Soleimani in 2020, the commander of the Revolutionary Guards and the Iranian regime’s real number 2. “The assassination of Soleimani decided by Trump makes it impossible for the regime to sit in the same room as him,” says Kasra Aarabi. “Even if the two sides absolutely had to negotiate an agreement, the Iranian regime could not shake hands with a Trump administration without alienating its fanatical base, 8 million people, who would accuse it of betraying the memory of Soleimani.”
A man rides his moped past a billboard displaying portraits of slain officials: Ismail Haniyeh, leader of Palestinian Hamas, Qassem Soleimani, head of Iran’s Quds Force, and Fouad Shokr, military leader of Lebanese Hezbollah
© / afp.com/Ibrahim AMRO
Iran’s number one weapon for disrupting the American campaign remains infiltrating the candidates’ teams. A way to make an impression and retrieve valuable information. “Email is their gateway, step zero in their attack chain,” says Alexis Dorais-Joncas of Proofpoint. Iranian groups excel at ‘impersonation’: they pretend to be an individual who will be known or recognized by the target by creating a fake email address, then they establish a bond of trust through completely benign conversations, sometimes for several weeks, before launching the malicious attack to retrieve their passwords or infect their computer tool.” Patient, meticulous, almost unstoppable work. At the end of August, Proofpoint observed North Korean hackers reproducing these Iranian techniques.
The risk that cyber attacks lead to physical attacks
The infiltration doesn’t stop there: the Iranians are also excellent at hacking cell phones. “With cell phones, they have access to a huge amount of personal information, they can listen to what’s going on in the room around you, observe your text messages,” explains John Hultquist of Mandiant. “But APT42 can also monitor your physical location live, which is particularly dangerous since this group works under the orders of the Revolutionary Guards, known for their use of physical violence.”
This is the main fear of the American security services: that Iran’s computer attacks will find concrete translations on their soil. “Imagine that, in the stolen data, there are plans of candidates’ convoys, with the times and places where they will be,” elaborates Alexis Dorais-Joncas. “Everything that would be useful for preparing a physical attack.” In July, even before the assassination attempt against Donald Trump in Pennsylvania, the FBI reportedly foiled an Iranian plot targeting the former president. A Pakistani emigrated to the United States reportedly received money from Tehran to prepare an attack against the Republican campaign, but he was arrested before carrying out the act. Ironically, his email accounts had been infiltrated by American agents.
While Western cyber defense is continually adapting to these Iranian attacks, it is nonetheless, by definition, always one step behind. “Unfortunately, the Russian interference of 2016 opened Pandora’s box,” regrets John Hultquist. “There is no effective deterrent against this type of hacking campaign and, in the future, they will only be more difficult to counter.” It is up to our democracies to equip themselves with the weapons to best fight against Tehran’s hackers.
.