Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering
Google: Phishing Attacks Targeted Trump, Biden Campaigns
Chinese and Iranian Hacking Groups Unsuccessfully Targeted Both Candidates' StaffsSeparate state-sponsored phishing attacks unsuccessfully attempted to infiltrate the campaign offices of President Donald Trump and former Vice President Joe Biden, according to Google's Threat Analysis Group, which warned both candidates of the incidents and provided details to law enforcement officials.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
An advanced persistent threat group linked to the Chinese government attempted to phish Biden's presidential campaign staff, while an Iranian-backed hacking group targeted Trump's re-election offices, according to Google.
These incidents show the challenges involved in ensuring the security of this year's U.S. presidential election against nation-state attacks.
A spokesperson for the U.S. Cybersecurity and Infrastructure Security Agency, which is responsible for securing the country's voting infrastructure, tells ISMG that's it's working with Google during its investigation of these two incidents.
"It's not surprising that a number of state actors are targeting our elections," the CISA spokesperson says. "We've been warning about this for years. Our job at CISA is to make sure they’re not successful. That’s why today’s announcement shows that secure, resilient elections are much bigger than state and local, or even federal government efforts."
Campaigns Notified
In a series of Tweets on Thursday, Shane Huntley, head of Google's Threat Analysis Group, noted that the company has sent details about the attacks to law enforcement. He did not describe when the attacks happened or if they targeted specific campaign staffers.
Recently TAG saw China APT group targeting Biden campaign staff & Iran APT targeting Trump campaign staff with phishing. No sign of compromise. We sent users our govt attack warning and we referred to fed law enforcement. https://t.co/ozlRL4SwhG
— Shane Huntley (@ShaneHuntley) June 4, 2020
On Friday, a Google spokesperson confirmed that the company had detected both attempts and warned the two campaigns.
"We sent the targeted users our standard government-backed attack warning and we referred this information to federal law enforcement. We encourage campaign staff to use extra protection for their work and personal emails, and we offer security resources such as our advanced protection program and free security keys for qualifying campaigns," the Google spokesperson tells ISMG.
A spokesperson for the Trump campaign tells ISMG that the staff had been briefed about the unsuccessful attack attempt. "We are vigilant about cybersecurity and do not discuss any of our precautions," the spokesperson notes.
A spokesperson for Biden, who is the presumptive Democratic presidential nominee, could not be immediately reached for comment. But a Biden campaign representative tells CNET: "We have known from the beginning of our campaign that we would be subject to such attacks, and we are prepared for them. Biden for President takes cybersecurity seriously. We will remain vigilant against these threats and will ensure that the campaign's assets are secured."
The Hackers
On Thursday, Google's Threat Analysis Group identified the state-sponsored hacking groups behind the two attempted attacks as APT31 for the Biden campaign and APT35 for the Trump campaign.
APT 31, which is also referred to as Zirconium, is a little-known Chinese advanced persistent threat group that specializes in intellectual property theft, according to the security firm FireEye.
More is known about APT35, which has ties to Iran and has been previously linked to attacks again the Trump campaign and other prominent U.S. political and government targets.
In 2019, APT35 targeted email accounts associated with the Trump campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran, according to Microsoft (see: Microsoft: Iran-Backed Group Targeted a Presidential Campaign)
Microsoft found that between August and September 2019, the threat group, which is also called Phosphorous, Charming Kitten and Ajax Security Team, attempted to attack 241 email accounts of the company's customers. At the time, APT35 was able to compromise four of the targeted accounts, but none of them belonged to the presidential campaign staff.
Since 2013, APT35 has targeted journalists and activists throughout the Middle East, using spear-phishing campaigns, social engineering techniques and fake social media accounts to infect devices with malware, according to Microsoft.
Ongoing Threats to Elections
In April, the U.S. Senate Intelligence Committee released a report that concluded Russia and its intelligence services conducted an unprecedented, multifaceted campaign to interfere with the 2016 U.S. presidential election (see: Senate Report Affirms Russian Election Interference Findings)
Security experts warn that these types of attacks are likely to continue and that sophisticated hacking groups will not only target top staffers, but anyone who has a connection to the campaign in order to gather more intelligence.
"It’s likely that we will see these types of attacks continue. It has been an ongoing issue for many years now," Charles Ragland, a security engineer at security firm Digital Shadows tells ISMG. "An APT getting access to political staffers' info is a great intelligence source."
In his Tweet, Google's Huntley notes that hackers will target both work and personal accounts in order to gain a foothold into networks, and simple steps, such as using two-factor authentication, can reduce the changes of a successful attack.
Tonia Dudley, a security solutions adviser at security firm Cofense, notes that most phishing emails are trying to lead victims to specific malicious domains hosted on a variety of cloud-based platforms designed to harvest credentials.
"This is why it's also important for the campaigns to enable multifactor authentication to all of these services deployed to their staff," Dudley says. "While MFA isn't a silver bullet, and we do see phishing attacks that are able to circumvent it, every little bit helps."
Tom Kellermann, who served as a cybersecurity adviser to former President Barack Obama, has been warning that nation-state hackers, especially those with ties to China and Iran, have been targeting the U.S. for some time and are likely to ramp up their efforts as the country moves closer to the November election.
"Our adversaries are intent on undermining American democracy through cyberattack," Kellermann, head of cybersecurity strategy at VMware, tells ISMG.
Managing Editor Scott Ferguson and News Editor Doug Olenick contributed to this report.