QUICKLOOK: IRGC-Linked Cyber Assault on U.S. Elections: Trump Campaign Hacked

Three Iranian hackers affiliated with the Islamic Revolutionary Guard Corps have been indicted for a sophisticated hacking operation aimed at disrupting the 2024 U.S. presidential elections.

Disclaimer: The translations and terms used in this document are machine-generated and may not be entirely accurate. They are provided for you to look over only.

BLUF :

The U.S. Department of Justice has indicted three Iranian nationals, allegedly affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), for orchestrating a sophisticated hacking campaign targeting Donald Trump's presidential campaign and attempting to influence the 2024 U.S. election. This operation, spanning from 2020 to 2024, aimed to sow discord, undermine confidence in the U.S. electoral process and advance Iran's strategic interests in retaliation for the U.S. assassination of General Qasem Soleimani.

Abstract:

This QUICKLOOK examines the recent indictment of three Iranian hackers—Masoud Jalili (مسعود جلیلی), Seyyed Ali Aghamiri (سید علی آقامیری), and Yasar Balaghi (یاسر بلاغی)—allegedly involved in a multi-year cyber campaign targeting U.S. political figures and institutions. The operation focused on stealing sensitive campaign data from Donald Trump's 2024 re-election bid, aiming to leak it to media outlets and rival campaigns. This hack represents an escalation in Iran's efforts to influence U.S. elections, fueled by past retaliation for U.S. military actions against Iran. The report further contextualizes this campaign within the broader geopolitical conflict between the U.S. and Iran and offers insights into Iran's evolving cyber capabilities.

---

Introduction:

In September 2024, the U.S. Department of Justice unsealed an indictment detailing a sophisticated, multi-year Iranian cyber operation aimed at influencing the U.S. presidential election. The campaign was reportedly a direct retaliation for the U.S. assassination of General Qasem Soleimani in January 2020, a key figure within the IRGC. This report analyzes the motivations, techniques, and implications of this cyber operation, focusing on how Iranian state-sponsored actors, connected to the IRGC, sought to compromise and undermine U.S. electoral integrity.

Iranian Cyber Units and Past U.S. Attacks:

Iran's cyber units, particularly those aligned with the IRGC, have a documented history of attacking U.S. institutions, employing tactics that range from espionage to destructive operations. These efforts are part of Iran's asymmetric warfare strategy, where it leverages cyber capabilities to counterbalance conventional military weaknesses against adversaries like the U.S.

Notable Past Attacks:

1. Operation Ababil (2011-2013): A DDoS campaign targeting U.S. financial institutions, including JPMorgan Chase and Bank of America, severely disrupting online services.

2. Sands Casino Hack (2014): Iranian hackers breached the Sands Casino website as retaliation for comments made by its owner, Sheldon Adelson, regarding U.S. military action against Iran.

3. Election Interference (2020): During the 2020 U.S. elections, Iranian hackers, possibly tied to the IRGC, launched a cyber campaign aimed at spreading disinformation and undermining public confidence in the U.S. electoral process.

4. Critical Infrastructure Attacks: Iranian hackers have attempted to breach U.S. energy grids and water facilities, targeting industrial control systems for potential future disruptive attacks.

These operations underscore Iran's strategy to destabilize key U.S. institutions, a strategy that has evolved to focus on more politically sensitive targets like presidential campaigns. The 2024 campaign is just one instance of these broader efforts.

Military Operational Concepts and Tactics:

Iran’s cyber operations, including this recent election-related hack, are deeply rooted in its broader military doctrines, specifically its strategy of asymmetric warfare. Unable to match the U.S. in terms of conventional military strength, Iran has turned to cyber capabilities, which it views as force multipliers.

Basij Resistance Force (BRF):

The Basij, a paramilitary force within the IRGC, is instrumental in many of Iran's cyber operations. Members, such as Masoud Jalili, Seyyed Ali Aghamiri, and Yasar Balaghi, are trained to execute cyberattacks as part of the BRF’s ongoing mission to disrupt U.S. operations, gather intelligence, and counter U.S. military actions.

The Basij typically uses tactics that align with guerrilla warfare but adapted to cyberspace. These include:

• Deception and Masking: Hiding behind legitimate servers and spoofing emails to deceive targets.

• Cyber Espionage and Surveillance: Using phishing, spoofing, and malware to gather critical intelligence on U.S. military, political, and corporate figures.

• Disruptive Operations: Coordinating with IRGC units to launch denial-of-service attacks, ransomware, and destructive hacks aimed at paralyzing critical infrastructure.

• Hack-and-Leak Campaigns: Using stolen data to create disinformation, manipulate media narratives, and destabilize public trust.

Detailed Profile of the Accused Hackers:

1. Masoud Jalili (مسعود جلیلی), 36:

   • Member of the Basij Resistance Force.

   • Alleged to have conducted hacking operations since 2005, focused on targeting U.S. political figures.

2. Seyyed Ali Aghamiri (سید علی آقامیری), 34:

   • Based in Tehran and affiliated with the Basij Resistance Force.

   • Active in intelligence gathering through spearphishing and social engineering.

3. Yasar Balaghi (یاسر بلاغی), 37:

   • Also based in Tehran, believed to work with the Basij in targeting high-value U.S. officials.

These hackers played crucial roles in coordinating the 2024 campaign, using their technical skills to breach key U.S. targets.

Expanded Timeline and Scope of Operations:

2020-2024:

The operation, spanning from 2020 to 2024, escalated as the U.S. election neared, shifting focus from general espionage to targeted political interference.

• Targets: U.S. government officials, campaign figures, and political advisors.

• Objective: Compromise Trump campaign materials and leak sensitive data to rival candidates and the media.

Notable Breaches:

• Homeland Security Advisor's Personal Account: Successfully breached, exposing sensitive internal communications.

• Former U.S. Ambassador to Israel: Targeted for intelligence gathering related to Middle East policy.

• State Department Official: Responsible for key diplomatic decisions in the region, including the Abraham Accords.

Advanced Hacking Techniques:

Iranian hackers used advanced tactics that reflect the evolving sophistication of their cyber units:

1. VPN and VPS Obfuscation: Used to hide locations and make attribution difficult.

2. Spearphishing and Spoofing: Creating false emails to trick high-level officials into sharing login details.

3. Social Engineering: Exploiting personal relationships to bypass multi-factor authentication.

4. In-memory Malware: Allowing the execution of malware that never touches disk, making detection more challenging.

"Hack-and-Leak" Operation Details:

Stolen Information:

• Non-public campaign documents.

• Internal emails from the Trump campaign, including sensitive vetting files on J.D. Vance.

Attempted Distribution:

1. To Biden Campaign: Emails with stolen material were sent but received no response.

2. To News Outlets: Media organizations were solicited to publish sensitive information in an attempt to discredit the Trump campaign.

U.S. Government Response:

Legal Actions:

1. Indictment of Masoud Jalili, Seyyed Ali Aghamiri, and Yasar Balaghi.

2. Charges include identity theft, wire fraud, unauthorized computer access, and conspiracy to support terrorism.

Sanctions:

The U.S. Treasury sanctioned the accused, along with other IRGC members involved in election interference efforts.

Rewards for Justice:

The State Department is offering a $10 million reward for information on these hackers or related cyber activities by Iran.

International Context:

Iran's hacking activities are part of a broader geopolitical strategy that has employed cyberattacks as tools of asymmetric warfare. Connections to previous Iranian APT groups like Charming Kitten and APT42 show that this operation is not isolated but part of a coordinated strategy to retaliate against U.S. actions, including the assassination of General Soleimani.

Implications and Concerns:

1. Cyber-Election Security: The need for improved cybersecurity across U.S. political campaigns is urgent, given Iran’s sophisticated hacking capabilities.

2. Public Trust: Iran’s operations aim to sow doubt about the legitimacy of U.S. elections, an outcome that could have long-term impacts on democratic institutions.

3. Strategic Escalation: The hack underscores the broader geopolitical conflict between the U.S. and Iran, with potential for future escalations.

Conclusion:

The indictment of Iranian hackers marks a significant moment in the U.S.'s ongoing efforts to prevent foreign interference in its elections. It underscores the advanced capabilities of Iranian cyber units, especially those linked to the Basij Resistance Force and the Islamic Revolutionary Guard Corps (IRGC). These groups have demonstrated expertise in espionage, cyberattacks, and disruptive operations to destabilize key U.S. institutions. With the 2024 election fast approaching, U.S. agencies must enhance cybersecurity defenses to safeguard the democratic process and mitigate the risks posed by foreign state-sponsored cyber actors. As Iran continues to refine its cyber capabilities, proactive measures will be vital in protecting U.S. political systems from future interference.

---

References:

1. U.S. Department of Justice Press Release, September 27, 2024.

2. U.S. Department of Justice Indictment Document, September 27, 2024.

3. AP News – "Trump Campaign Hack: Iranians Indicted", September 27, 2024.

4. Axios – "Iranian Hackers Targeted Trump's Campaign", September 27, 2024.

5. FBI – Wanted Poster: Iranian Cyber Actors, September 27, 2024.