Iranian Cyber Actors (IRGC) - Targeting the 2024 U.S. Presidential Election

Intro

Yesterday, the FBI released an advisory covering the activities of Iranian cyber actors targeting email accounts associated with the 2024 U.S. presidential election. The advisory was published in collaboration with U.S. Cyber Command's Cyber National Mission Force, the U.S. Department of the Treasury, and the UK’s National Cyber Security Centre. The advisory has been disseminated to highlight the ongoing malicious cyber activity by cyber actors working on behalf of the Iranian government's Islamic Revolutionary Guard Corps (IRGC).

Three IRGC Cyber Actors have been indicted for ‘Hack-and-Leak’ operation designed to influence the 2024 U.S. Presidential Election. According the the information released by DOJ, as alleged, in or around May, after several years of focusing on compromising the accounts of former U.S. government officials, the conspirators used some of the same hacking infrastructure from earlier in the conspiracy to begin targeting and successfully gaining unauthorized access to personal accounts belonging to persons associated with an identified U.S. Presidential campaign, including campaign officials.

The identified IRGC cyber activity also targeted individuals with a nexus to Iranian and Middle Eastern affairs, such as current or former senior government officials, senior think tank personnel, journalists, activists, and lobbyists. Additionally, the FBI has observed these actors targeting individuals associated with U.S. political campaign activity, likely in support of information operations.

In the joint statement by the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA), officials outlined: “As each of us has indicated in prior public statements, Iran seeks to stoke discord and undermine confidence in our democratic institutions. Iran has furthermore demonstrated a longstanding interest in exploiting societal tensions through various means, including the use of cyber operations to attempt to gain access to sensitive information related to U.S. elections. In addition to these sustained efforts to complicate the ability of any U.S. administration to pursue a foreign policy at odds with Iran’s interests, the Intelligence Community (IC) has previously reported that Iran perceives this year’s elections to be particularly consequential in terms of the impact they could have on its national security interests, increasing Tehran’s inclination to shape the outcome. We have observed increasingly aggressive Iranian activity during this election cycle, specifically involving influence operations targeting the American public and cyber operations targeting presidential campaigns.”

Social Engineering and Information Operations

The cyber actors working on behalf of the IRGC gain access to victims’ personal and business accounts using social engineering techniques, often impersonating professional contacts on email or messaging platforms. In addition, these actors might attempt to impersonate known email service providers to solicit sensitive user security information on email or messaging platforms. The targets usually have some nexus to Iranian and Middle Eastern affairs, such as current or former senior government officials, senior think tank personnel, journalists, activists, and lobbyists. More recently, FBI has observed these actors targeting persons associated with US political campaigns.

The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials. Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors. Victims sometimes gain access to the document but may receive a login error. 

Cyber actors working on behalf of the IRGC tailor instances of social engineering to include areas of interest or relevance to a target, including:

• Impersonations of known individuals, associates, and/or family members;
• Impersonations of known email service providers regarding account settings;
• Requests from impersonation accounts of well-known journalists for interviews;
• Conference invitations;
• Speaking engagement requests;
• Embassy events;
• Foreign policy discussions/opinions and article reviews; and,
• Current US campaigns and elections.

Indications of successful compromise include:

• Suspicious logins to victim accounts from foreign or domestic IP addresses;
• Creation of message handling rules to forward emails and prevent victims from receiving notifications of the compromise;
• Connection of unknown devices, applications, or accounts to a victim account;
• Exfiltration and deletion of messages; and,
• Attempts to access other victim accounts

Indicators of Compromise (IOCs)

Cyber actors working on behalf of the IRGC have used the following malicious domains:

3dauth[.]live
3dconfirrnation[.]com
accesscheckout[.]online
accessverification[.]online
accunt-loqin[.]ml
accurateprivacy[.]online
atlantic-council[.]com
bitly[.]org[.]il
boom-boom[.]ga
bytli[.]us
continuetogo[.]me
continue-to-your-account[.]000webhostapp[.]com
covi19questionaire[.]000webhostapp[.]com
covid19questionnaire[.]freesite[.]vip
css-ethz[.]ch
cutly[.]biz
cutly[.]vip
daemon-mailer[.]com
de-ma[.]online
direct-access[.]info
discovery-protocol[.]ml
docfileview[.]org
doctransfer[.]online
dreamycareer[.]com
dr-sup[.]live
email-daemon[.]site
email-protection[.]online
file-access[.]com
filetransfer[.]club
freahman[.]online
freshconnect[.]live
gdrive-files[.]com
gettogether[.]quest
gl-sup[.]online
gm-sup[.]com
g-shorturl[.]com
home[.]kg
idccovid19questionaire[.]000webhostapp[.]com
ipsss[.]000webhostapp[.]com
linkauthenticator[.]online
litby[.]us
lovetoflight[.]com
lst-accurate[.]com
ltf[.]world
mailerdaemon[.]info
mailer-daemon[.]live
mailer-daemon[.]me
mailer-daemon[.]net
mailer-daemon[.]online
mailer-daemon[.]org
mailer-daemon[.]site
mailer-daemon[.]us
mailer-daemon-message[.]co
mailer-support[.]online
mfa-ic[.]ae
mofa-ic[.]ae
myconnect-support[.]com
on-dr[.]com
private-file-sharing[.]000webhostapp[.]com
qmaiil[.]ml
reactivate-disabled-accuonts[.]000webhostapp[.]com
redirect-drive[.]online
safeshortl[.]ink
shared-files-access[.]live
sharefilesonline[.]live
summit-files[.]com
tinyurl[.]co[.]il
tinyurl[.]ink
tinyurl[.]live
uani[.]us
verificationservice[.]online
washingtonlnstitute[.]org
workstation2020[.]000webhostapp[.]com
www-myaccounts-support[.]000webhostapp[.]com
youtransfer[.]live

The above-mentioned indicators are historical infrastructure associated with cyber actors working on behalf of IRGC. This data is being provided for informational purposes, to facilitate the identification of past cyber incidents, and to enable better tracking and attribution of these cyber actors.

The IGRC activity was especially notable in the period of the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia. The identified attacks were attributed to Phosphorus, an Iranian actor; TAG-56, which targeted the Sir Bani Yas Forum; and APT42, an Iranian state-sponsored cyber espionage actor targeting Western and Middle Eastern NGOs, media organizations, academia, legal services, and activists.

False Flags and Deception

Some of the domains involved in malicious activity impersonated Israeli online-services and resources by origin. For example, one of the domain names used by Iran in the attack against international conference attendees was registered using the personal records of an Israeli citizen, which could have been re-used from compromised identity information or data sets circulating on the Dark Web to obscure the origin.

Domain Name: DE-MA.ONLINE
Registrar Url: https://www.hostinger.com
Registrar Name: Hostinger, UAB
Registrar Iana Id: H2712453
Domain Status: REDEMPTIONPERIOD https://icann.org/epp#redemptionPeriod
Registrant Id: Not Available From Registry
Registrant Name: Omer Laviv
Registrant Organisation: Omer Laviv
Registrant Street: 25 Gordon st.
Registrant City: Givataim
Registrant State: Central
Registrant Postal Code: 53235
Registrant Country: IL
Registrant Phone: +972539820866
Registrant Email: 20thcenfax@gmail.com

'Hack-and-Leak' Operations

Prior to the advisory about the targeting of current and former U.S. officials, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense (DoD) Cyber Crime Center (DC3) released details, explaining how Iranian hackers are working with ransomware affiliates and providing access to victim networks in exchange for a cut of ransom payments. The law enforcement organizations noted that the described activity was not connected to the Iranian election influence efforts, highlighting the truly multifarious threat that Iranian cyber activity poses to U.S. interests.

The group of Iranian cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. organizations since 2017 and as recently as August 2024. Compromised organizations include U.S.-based schools, municipal governments, financial institutions, and healthcare facilities. This group is known in the private sector by the names Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm. The actors also refer to themselves by the moniker Br0k3r, and as of 2024, they have been operating under the moniker “xplfinder” in their channels. FBI analysis and investigation indicate the group’s activity is consistent with a cyber actor with Iranian state-sponsorship.

The FBI previously observed these actors attempt to monetize their access to victim organizations on cyber marketplaces. A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks. The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide. More recently, the FBI identified these actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments. These actors have collaborated with the ransomware affiliates NoEscape, Ransomhouse, and ALPHV (aka BlackCat).

The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims. The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin. Furthermore, the FBI has historically observed this actor conduct hack-and-leak campaigns, such as the late 2020 campaign known as Pay2Key. The actors operated a .onion site (reachable through the Tor browser) hosted on cloud infrastructure registered to an organization previously compromised by the actors.

Following the compromise and the subsequent unauthorized acquisition of victim data, the actors publicized news of their compromise (including on social media), tagging accounts of victim and media organizations, and leaking victim data on their .onion site. While this technique has traditionally been used to influence victims to pay ransoms, the FBI does not believe the objective of Pay2Key was to obtain ransom payments.Rather, the FBI assesses Pay2Key was an information operation aimed at undermining the security of Israel-based cyber infrastructure.

Such malicious cyber activity from Iran is expected to continue in the future, targeting the U.S. and its allies during important social, economic, and political events, considering the close overlap between the cybercriminal underground and nation-states.

Mitigation Measures

FBI, CNMF, Treasury, and UK NCSC recommend international community partners remain vigilant. The authoring agencies recommend the following mitigation actions:

Social Engineering/Spoofing

• Be suspicious of unsolicited contact from any individual you do not know personally or contact from people you may know but are claiming to be using new accounts or phone numbers.
• Be suspicious of attempts to pass links or files via social media from anyone you do not know or from people you know who are using new accounts or phone numbers.
• Be suspicious of unsolicited requests to share files via online services, especially from people you do not know or people with whom you typically do not share files in this manner.
• Be suspicious of email messages conveying suspicious alerts for online accounts, including login notifications from foreign countries or other alerts indicating attempted unauthorized access to your accounts. FBI recommends logging into your accounts directly (versus using a link to do so) to review alerts.
• Be suspicious of emails purporting to be from legitimate online services (i.e. the images in the email appear to be slightly pixelated and/or grainy, language in the email seems off, sender email address looks suspicious, messages originate from an IP not attributable to that provider/company, etc.).
• Be suspicious of unsolicited email messages that contain shortened links (i.e. via tinyurl, bit.ly, etc.).

Enterprise Mitigation

• Implement a user training program with phishing exercises to raise and maintain awareness among users about risks of visiting malicious websites or opening malicious attachments. Reinforce the appropriate user response to phishing and spear-phishing emails. Cyber hygiene awareness for personal accounts and company accounts is strongly recommended.
• Recommend using only official email accounts for official business, updating software, avoiding clicking on links or opening attachments from suspicious emails before confirming their authenticity with the sender, and turning on multi-factor authentication to improve online security and safety.
• Recommend users consider advanced account protection services and hardware security keys.
• Enable anti-phishing and anti-spoofing security features that block malicious email.
• Prohibit automatic forwarding of email to external addresses