The FBI has launched an investigation after Donald Trump’s presidential campaign claimed to have been attacked by Iranian hackers. Proofpoint security researcher Joshua Miller explains the possible background.
Proofpoint has no direct knowledge of activity specifically targeting the Trump campaign or activity recently reported by Microsoft and attributed to Mint Sandstorm. However, the activities are consistent with typical TA453 campaigns and activities. TA453’s activities overlap with those of Mint Sandstorm aka Charming Kitten.
TA453 is known for sending phishing emails with links to collect login credentials, often misusing brands such as Yahoo, LinkedIn or Microsoft. This group uses various methods in its phishing emails: it assumes the personality of journalists or academics, mimics Gmail or Google Drive pages or pretends to be a well-known non-profit organization. The group also sets up fake social media accounts and domains whose name or internet address differs only in a small detail from websites of well-known brands (“typo squatting”).
Like other actors using Advanced Persistent Threats (APT) for espionage, TA453 is constantly adapting its tools, tactics, techniques and objectives. TA453 likely adapts its campaigns to the dynamic intelligence requirements of the Islamic Revolutionary Guard Corps (IRGC), including the potential support of hostile and even kinetic operations.
Proofpoint continues to believe that TA453 supports the IRGC, specifically the IRGC Intelligence Organization (IRGC-IO). This assessment is based on a variety of evidence, including overlaps in entity numbering between Charming Kitten’s reports and the IRGC entities identified by PWC, the U.S. Department of Justice indictment of Monica Witt and IRGC-affiliated actors, and an analysis of TA453’s targeting against reported IRGC-IO priorities.
TA453 repeatedly attempts to collect and exfiltrate the contents of email inboxes of typical Iranian government intelligence targets such as the Iranian diaspora, political analysts, and educators. In addition, Proofpoint has found that TA453 targets current and former U.S. officials and representatives of U.S. politicians’ campaigns. Exceptionally, the group also directs its attacks at medical researchers.
Several APT actors allied with Iran, including TA453, use journalists or newspapers as a pretext to monitor targets and attempt to harvest their credentials. TA453 routinely impersonates journalists from around the world. The cybercriminals use these personas to have innocuous conversations with the targets, who are mostly academics and policy experts dealing with political relations in the Middle East.
TA453 is currently active with ongoing phishing campaigns.