WASHINGTON — A federal grand jury in Washington has indicted three members of a cyberespionage unit associated with Iran’s Revolutionary Guard for mounting wide-ranging attacks targeting politicians, officials and journalists that led to the hacking of the Trump campaign this summer.
The Iranians unleashed a barrage of malicious emails to a wide array of targets over the past four years, hoping to gain access to email accounts and databases. In 2024, the group, linked to Iranian military intelligence, sharpened its focus to undermine former President Donald Trump, whom they regard as their most implacable enemy, according to an indictment unsealed Friday.
The attacks were “part of Iran’s continuing efforts to stoke discord, erode confidence in the U.S. electoral process and unlawfully acquire information related to former and current U.S. officials,” prosecutors wrote.
The hackers — identified in the indictment as Masoud Jalili, Seeyed Aghamiri and Yasar Balaghi — all live in Iran, making it unlikely they would face justice in a U.S. courtroom. They have been charged with wire fraud, identity theft, providing material support to a terrorist organization and a variety of cybercrimes.
“The defendants’ own words made clear that they were attempting to undermine former President Trump’s campaign in advance of the 2024 U.S. presidential election,” Attorney General Merrick Garland said during a news conference.
The influence campaign described in the indictment suggests that Iran’s cyberskills and ambitions have expanded in recent years, learning from techniques that Russia and China have mastered. It suggests rapid progress over the past 15 years, when Iran created its first “cybercorps,” partly in response to a successful American-Israeli breach into its nuclear production facility at Natanz, destroying hundreds of the country’s nuclear centrifuges.
In the 2016 election, Iran was barely capable of initiating a successful cyberattack, and in 2020, its interventions were clumsy. But by this June, it was able to provide people in President Joe Biden’s camp “final prep” materials from the Trump campaign on the day of the first presidential debate, prosecutors said.
The indictment, while expected, highlighted the heightened threat posed by hostile international actors, using cyberattacks in hopes of disrupting the U.S. election and intimidating domestic dissidents abroad. But those three powers, Iran, Russia and China, partners in many arenas, are pursuing different strategies. Russia has been intervening on Trump’s behalf, intelligence officials say, while Iran has opposed him. China has not taken a clear side but has worked to advance its interests more broadly.
From 2020 to May 2024, the three men named in the filing, all experienced hackers, targeted dozens of current and former officials at the White House, National Security Council, Defense Department, CIA and a former U.S. ambassador to Israel — “apparently without success,” according to the 37-page indictment.
They also tried to compromise the account of at least two journalists as well as members of international nongovernmental organizations, think tanks based in Washington, foreign intelligence agencies, human rights groups, officials with Afghanistan’s government and United Nations personnel, mostly without success.
Iran’s mission to the United Nations has repeatedly denied the accusations. “The Iranian government neither possesses nor harbors any intent or motive to interfere in the United States presidential election,” it said in a statement last month when U.S. intelligence officials publicly accused Iran of hacking the Trump campaign.
The indictment did not identify the Trump campaign officials whose accounts had been hacked, but one person targeted was Susie Wiles, a senior adviser to the former president, according to someone familiar with the situation who spoke on the condition of anonymity to disclose details intended to be private.
Iran was able to infiltrate the Trump campaign after gaining access to the email accounts of a longtime political adviser, Roger Stone, in a type of breach that allows a hacker to infiltrate a circle of people by impersonating someone they communicate regularly with.
The material, stolen in what the government called a “hack-and-leak” operation, was sent to journalists at The New York Times and other outlets but was not widely published. The Times and other news organizations concluded that its publication was likely to serve the interests of the attackers. Even then, Iran was the lead suspect.
Iran’s hostility to Trump also includes an apparent effort to kill him, U.S. officials have said. Intelligence agencies have been tracking a potential Iranian assassination plot against Trump, and in August, the Justice Department charged a Pakistani man who had recently visited Iran with trying to hire a hit man to assassinate political figures, including the former president.
The hackers were motivated, in part, out of a desire to avenge the killing of Qassem Soleimani, the commander of the Quds Force of Iran, in January 2020 in a drone attack approved by Trump. They also blame Trump for reimposing economic sanctions on Iran after he pulled out of the 2015 nuclear agreement, in which Iran agreed to give up 97% of its nuclear fuel and vastly reduce its capabilities to make more.
Soon after, the Iranian hackers began creating false online personas as a precursor to launching spear-phishing attacks, including targeting the spouse of a Supreme Court justice and prominent conservatives.
But Iran’s efforts intensified drastically this year, with a push to infiltrate Trump’s inner circle, obtain compromising internal communications and leak them to the news media and Democrats. The indictment documents detail those efforts, from May to August, starting with the successful attempt to engage Stone, followed by the steps the hackers took to gain access to email accounts of people in his trusted circle.
On June 27 — hours before Biden’s fumbling debate performance against Trump, which ultimately led to his decision to drop out of the presidential race — the Iranians, using a false identity, reached out to people in Biden’s camp to offer up the stolen materials.
“I’m going to be pass some materials along to you that will be useful in defeating” Trump, one of the hackers wrote in an email that included the pilfered information in its body. “Read and be strong and ready or tonight.”
The Iranians seemed to be following the election so closely, they offered punditry, opining that the debate was Biden’s “last chance” — and accurately predicting that he would have to step aside if he foundered.
Garland would not comment on the Biden campaign’s subsequent actions, other than to say that it did not respond to the hackers and that both the Harris and Trump campaigns have cooperated fully with the FBI’s investigation.
“We’re not aware of any material being sent directly to the campaign; a few individuals were targeted on their personal emails with what looked like a spam or phishing attempt,” said Morgan Finkelstein, a spokesperson for the Harris campaign.
In July, the Iranians began sending stolen vetting materials about Trump’s running mate, JD Vance, to reporters and continued to extract internal communications from Trump-related accounts as recently as Aug. 12, according to the indictment.
“Let’s be clear what we’re talking about — attempts by a hostile foreign government to steal campaign information from one presidential candidate, and shop it around to that candidate’s opponent and the media,” Christopher Wray, the director of the FBI, said in a statement.
In coordination with the indictment, the State Department offered a reward of up to $10 million for information on the hackers, while the Treasury Department issued sanctions against the men.
This article originally appeared in The New York Times.
© 2024 The New York Times Company