State-sponsored hackers from China and Iran have unsuccessfully targeted the campaign staffs of US presidential candidates Joe Biden and Donald Trump, respectively.
The attacks have been observed by the Google Threat Analysis Group (TAG), a division inside Google’s security department that tracks nation-state hacking groups.
“Recently TAG saw China APT group targeting Biden campaign staff & Iran APT targeting Trump campaign staff with phishing,” said Shane Huntley, head of Google TAG.
Huntley said Google did not see any signs that the attacks were successful. He said Google notified the targeted users about the attacks using Gmail’s built-in message for signaling “state-sponsored attacks,” and later also notified US law enforcement agencies.
Huntley said the groups behind the attacks are APT31 (targeted Biden) and APT35 (targeted Trump).
APT31, also known as Zirconium, is a Chinese state-sponsored hacking group that has been active since at least early 2016, and has historically targeted foreign companies to steal intellectual property, however, it has also targeted diplomatic entities in the past. According to a Microsoft threat analyst, the group has seen a surge of activity recently and has been very active over the past 45 days.
APT35, also known as Newscaster, is a Iranian cyber-espionage sponsored by the Iranian government. The group has been active since 2014 and has typically targeted the US and Middle Eastern militaries, diplomatic and government personnel, organizations in the media, energy and defense industrial bases (DIB), and the engineering, business services, and telecommunications sectors.
APT35 had also targeted the Trump campaign staff last year. The 2019 attacks were spotted by Microsoft.
Several cyber-security companies, including both Google and Microsoft, provide free security tools for election officials and campaign staff.
A spokesperson for the Biden campaign told ZDNet that they were aware of the attacks detailed in Google’s disclosure today.
“We have known from the beginning of our campaign that we would be subject to such attacks and we are prepared for them,” the Biden campaign said. “Biden for President takes cybersecurity seriously, we will remain vigilant against these threats, and will ensure that the campaign’s assets are secured.”
A representative for the Trump campaign has not returned a request for comment on Google’s latest disclosures.
The fact that these attacks are taking place is not a surprise for cyber-security industry experts.
“Senior officials have consistently provided warnings that countries beyond just Russia have attempted to interfere or influence US elections. And those actors have been proven to regularly target the U.S. government and broad swaths of the U.S. economy, so further evidence of targeting elections is unfortunately unsurprising,” Graham Brookie, Managing Editor & Director at the Atlantic Council’s Digital Forensic Research Lab (DFRLab), told ZDNet today.
“Other countries saw the catastrophic success of Russian cyber-enabled influence operations targeting US elections in 2016, and have shown an increased willingness to adopt that approach in elections — not just in the United States, but around the world,” Brookie added.
For example, Iran is a known entity that often engages in social media influence operations, and would without any doubt not hesitate to use any information that it may gleam from hacking a presidential campaign’s internal emails. Similarly, Chinese hackers have historically targeted anti-Chinese parties in regions like Hong Kong and Taiwan, and have used information stolen in these hacking campaigns to boost its political power in the two regions.
It is unclear if Chinese and Iranian hackers are looking for information they may abuse in a public fashion — like Russia did with the DNC hack and the Guccifer 2.0 persona — or if they’re just looking to passively observe how campaigns are going and collect information for future political decisions, rather than meant to alter the outcome of US presidential elections.