WASHINGTON--The Iranian hacking team that compromised the campaign of Republican presidential candidate Donald Trump is known for placing surveillance software on the mobile phones of its victims, enabling them to record calls, steal texts and silently turn on cameras and microphones, according to researchers and experts who follow the group.
Known as APT42 or CharmingKitten by the cybersecurity research community, the accused Iranian hackers are widely believed to be associated with an intelligence division inside Iran's military, known as the Intelligence Organization of the Islamic Revolutionary Guard Corps or IRGC-IO. Their appearance in the U.S. election is noteworthy, sources told Reuters, because of their invasive espionage approach against high-value targets in Washington and Israel.
“What makes (APT42) incredibly dangerous is this idea that they are an organization that has a history of physically targeting people of interest,” said John Hultquist, chief analyst with U.S. cybersecurity firm Mandiant, who referenced past research that found the group surveilling the cell phones of Iranian activists and protesters. Some of them were imprisoned or physically threatened in the country shortly after being hacked.
A spokesperson for Iran’s permanent mission to the United Nations in New York said in an email that "the Iranian government neither possesses nor harbors any intent or motive to interfere in the United States presidential election."
Spokespeople for Trump have said that Iran is targeting the former president and current Republican candidate because they disfavour his policies toward Tehran.
The APT42 crew that targeted Trump has never been formally named in U.S. law enforcement indictments or criminal charges, leaving questions about their structure and identity. But experts believe they represent a significant threat.
“The IRGC-IO is entrusted with collecting intelligence to defend and advance the interests of the Islamic Republic,” said Levi Gundert, chief security officer for U.S. cyber intelligence firm Recorded Future and a former Secret Service special agent. “Along with the Quds Force, they are the most powerful security and intelligence entities inside Iran.”
In March, Recorded Future analysts discovered hacking attempts by APT42 against a U.S.-based media group named Iran International, which British authorities previously said were the target of physical violence and terror threats by Iranian-linked agents. Hultquist said the hackers commonly use mobile malware that allows them to "record phone calls, room audio recordings, pilfer SMS (text) inboxes, take images off of a machine," and gather geolocation data.
In recent months, Trump campaign officials sent a message to employees warning them to be diligent about information security, according to one person familiar with the message. The message warned that cell phones were no more secure than other devices and represented an important point of vulnerability, said the person, who requested anonymity as he was not permitted to speak to the media.
The Trump campaign did not respond to a request for comment. The FBI and the Office of the Director of National intelligence both declined to comment.
The Secret Service did not answer questions about whether the Iranian hacking activity could be intended to support physical attacks planned for the future. In a statement sent to Reuters, a Secret Service spokesperson said they work closely with intelligence community partners to ensure the "highest level of safety and security" but could not discuss matters "related to protective intelligence."
