A group of prolific Iranian hackers has likely been key to Iran’s Islamic Revolutionary Guard Corps efforts to track its domestic and foreign adversaries in recent years by targeting US government officials, Iranian dissidents and journalists, according to new research published Wednesday.
The hackers have tried to break into the email accounts of US government officials focused on Iran policy and the mobile phones of Iranian dissidents, according to the research from US cybersecurity firm Mandiant, underscoring the extent to which the IRGC’s surveillance apparatus allegedly relies on cyber operations.
The research comes a month after US prosecutors unsealed an indictment of an IRGC member for his alleged role in a plot to assassinate former US national security adviser John Bolton. The Mandiant report does not tie Iranian hackers to that plot. But analysts do link the hackers to repression: in 2018, they allegedly targeted the Gmail account of an Iranian activist whom the Iranian government arrested earlier that year.
“In light of recent IRGC operations, we should be especially cautious of their efforts to surveil and track targets in the US and globally,” John Hultquist, Mandiant’s vice president of intelligence analysis, told CNN. “It’s one thing to be compromised where someone is going to destroy your [computer] servers and cause financial problems, but it’s another thing to be compromised by someone who has a history of political assassinations.”
Between March and June last year, the hackers used a compromised email account of someone working at a US-based think tank to target US government officials focused on Middle East and Iran policy, the report says.
It’s unclear which US government agency was targeted or whether the hacking attempts were successful. A Mandiant spokesperson declined to elaborate on the anecdote. CNN has requested comment from the National Security Council on the alleged Iranian hacking attempts against US government accounts”
The research comes as the White House blamed Iran for a separate hacking incident in July that disrupted government services in Albania, a NATO member. Albanian Prime Minister Edi Rama said Wednesday that his country was severing relations with Iran over the cyberattack.
“The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace,” National Security Council spokesperson Adrienne Watson said in a statement.
CNN has requested comment from Iran’s Permanent Mission to the United Nations on the White House allegation and the Mandiant report.
US intelligence officials routinely cite Iran — along with Russia, China and North Korea — as a top threat in cyberspace, and Tehran has earned a reputation for unpredictable and disruptive hacking campaigns.
US officials repeatedly warned in the wake of the US military’s killing of senior Iranian general in January 2020 that Iran could seek an asymmetric response in cyberspace.
It’s unclear the extent to which that has happened, but Washington and its allies have blamed cyberattacks on Tehran since then that experts consider outside the norms of state behavior in cyberspace.
FBI Director Christopher Wray in June, for example, accused Iranian government-backed hackers of an attempted hack of Boston Children’s Hospital a year prior, calling it “one of the most despicable cyberattacks I’ve ever seen.” The Iranian government denied involvement in the hack, which FBI officials say was thwarted.
Mandiant analysts said they had “moderate confidence” that the hacking group detailed in their report works for a spy agency within the IRGC based on the hackers’ targets, which match the IRGC’s mandate of pursuing external threats to the regime and perceived domestic enemies.
The hackers appear to be “trusted by the Iranian government to quickly react to geopolitical changes by adjusting their flexible operations to targets of operational interest to Tehran,” Mandiant said in its report.