Iranian Hackers Hit Former US Ambassador in Attack Targeting Trump Admin Officials

United Against Nuclear Iran is latest victim of regime's growing cyber espionage efforts

Getty Images
November 17, 2021

Iran is behind a series of cyberattacks on former U.S. ambassador to the United Nations Mark Wallace, according to an advocacy group, which says the hackers mimicked his email address in an attempt to infiltrate the accounts of former Trump administration officials.

Wallace, who runs United Against Nuclear Iran (UANI), an advocacy group critical of the Iranian regime and its attempts to build a nuclear weapon, was targeted by Iran-backed hackers for his work holding the regime accountable, according to the group. UANI disclosed details of the attacks publicly after reporting the incident to the FBI.

"Those responsible managed to procure data outside of the public realm, impersonated our leadership in communications with former senior officials of the U.S. government, and attempted to harvest Gmail credentials," Wallace said in a statement. "Separately, the group impersonated conference officials and attempted to lure UANI leadership to respond and click phishing links."

The hackers created a fake account belonging to Wallace after an unsuccessful attempt to penetrate his real account. The fake account was used to send non-public documents to people affiliated with UANI, including former Trump administration officials, according to details of the attacks provided to the Washington Free Beacon. There is no evidence the hackers successfully compromised the accounts of those they targeted. A UANI board member also was targeted and the hackers sent a similar batch of emails to UANI staff.

The cyber espionage campaign is the latest escalation by Iran as it targets current and former U.S. officials and attempts to seize confidential information. Iran targeted the Trump campaign with hack attacks in 2019 and has also taken aim at U.S. officials, journalists, and Iranians living abroad over the past several years. Tehran was also behind a series of fake websites that spread disinformation about the United States, Saudi Arabia, and Israel.

UANI is calling on the Biden administration to investigate these attacks and impose "fresh economic sanctions against those responsible." The group also said the attacks will not deter it from its campaign to increase pressure on the Iranian regime and prevent it from building a nuclear weapon.

Wallace told the Free Beacon it "should come as no surprise" that Iran is targeting groups and individuals who seek to counter the regime's malign behavior.

"It should prompt authorities in the U.S. to ask themselves how they can better protect Americans from a rising cyber threat," Wallace said. "Over the last several years—under the leadership of both [Iranian president] Hassan Rouhani and Ebrahim Raisi—Iran has become more brazen in its attempts to deploy cyberwarfare tactics against individuals and organizations inside and outside of government. It's capabilities are growing, and it's time for the U.S. to make threat-mitigation a priority in its dealings with Tehran."

UANI says that it was targeted soon after Google issued a security alert regarding threats originating in Iran and backed by its government. Google says an Iranian hacking collective known at APT35, or Charming Kitten, is behind a series of attacks the company cited in their report.

"APT35, an Iranian group, which regularly conducts phishing campaigns targeting high risk users. This is one of the groups we disrupted during the 2020 U.S. election cycle for its targeting of campaign staffers," Google disclosed in mid-October. "For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government."

While the hackers attempted to breach Wallace's email, they were unsuccessful due to two-factor authentication security protocols the ambassador had in place. Professional security teams hired to investigate the attacks could not detect the presence of any malware or spyware on UANI computers, indicating the attackers were unable to penetrate the group's networks.

News of the attacks comes just a day after the U.S. Cybersecurity and Infrastructure Security Agency issued an alert about separate Iranian cyber espionage campaigns.

The alert, jointly issued by the FBI and security agencies affiliated with Australia and the United Kingdom, outlined an "ongoing malicious cyber activity by an advanced persistent threat" that is associated with Iran's government.

"The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the transportation sector and the health care and public health sector, as well as Australian organizations," according to the alert.

The FBI did not immediately respond to a Free Beacon request for comment on the hack against UANI.

Published under: cybersecurity , Iran