As the US presidential election draws closer, Iran-linked groups are intensifying their efforts to influence the outcome, according to a new report from Microsoft.
The Microsoft Threat Intelligence Report, released on Friday, details how these groups have been setting up and launching influence campaigns aimed at swaying voters, particularly in swing states, while also conducting operations to gather intelligence on political campaigns, potentially laying the groundwork for future interference.
The report revealed that an Iranian group named Storm-2035 has launched covert news sites targeting both left-leaning and conservative US voters, using AI to plagiarize content and promote divisive political messages.
Another group called Sefid Flood has been preparing since March for potentially extreme influence operations, including “intimidation or inciting violence against political figures,” aiming to incite chaos, undermine authorities, and sow doubt about election integrity.
IRGC-linked hackers targeting senior officials before US election
Moreover, Microsoft reported that Mint Sandstorm—a group run by the Islamic Revolutionary Guard Corps (IRGC) intelligence unit—attempted to hack the account of a senior US official involved in a presidential campaign.
The incident involving what Microsoft called a “high ranking official” happened in June, just weeks after a breach discovered on the account of a county-level US official.
"A group run by the IRGC intelligence unit sent a spear-phishing email to a high-ranking official of a presidential campaign” and “another group with assessed links to the IRGC compromised a user account with minimal access permissions at a county-level government,” the report said, directly naming Iran.
Additionally, in May, Peach Sandstorm—another group linked to the IRGC—compromised the account of "a county-level government employee in a swing state." Microsoft noted that this group has been active since September 2023, primarily targeting US government organizations in swing states.
US intelligence officials recently admitted that Iran had ramped up the use of clandestine social media accounts with the aim to use them to try to sow political discord before the polls.
Iran has denied the allegations, with a statement from the UN Mission in New York to Reuters saying that the country’s cyber capabilities were "defensive and proportionate to the threats it faces" and that it had no plans to launch cyber-attacks.
"The US presidential election is an internal matter in which Iran does not interfere," the mission told Reuters in response to the allegations in the Microsoft report.
Microsoft also noted that the latest incident is part of an increase in activity trying to glean intelligence on US political campaigns and attempting to target swing states.
The successful breach in May of a county-level employee's account, Microsoft said, was part of a "password spray operation" in which hackers use common or leaked passwords en masse until they can break into one. However, no other accounts were breached.
Another Iranian group had launched “covert” news sites, Microsoft added, using AI to lift content from legitimate sources in order to target US voters across the political spectrum. It named Nio Thinker, a left-leaning site, and a conservative site called Savannah Time, which both share similar formats but without any contact details.
The US intelligence warned in July that, in addition to Iran, Russia and China were also conducting clandestine operations ahead of the upcoming elections. The three "rogue" states have been recruiting people in the US to spread propaganda, though the Iranian government denies the allegations.
As the elections near, the US remains on high alert for Iranian attacks. The 2024 annual threat assessment warned that "ahead of the US election in 2024, Iran may attempt to conduct influence operations aimed at US interests, including targeting US elections, having demonstrated a willingness and capability to do so in the past."
The assessment noted that during the US election cycle in 2020, Iranian cyber actors obtained or attempted to obtain US voter information, sent threatening emails to voters, and disseminated disinformation about the election.
"The same Iranian actors have evolved their activities and developed a new set of techniques, combining cyber and influence capabilities, that Iran
could deploy during the US election cycle in 2024," the report added.
In the 2020 election campaign, the FBI reported that Iranian operatives impersonated members of the right-wing Proud Boys group as part of a voter intimidation effort. Two men were charged.
Later that year, Iranian hackers breached a website that a municipal government in the US used to publish election results, though the attackers were caught before carrying out any nefarious activity, US cybersecurity officials said.
As the campaign ramps up, on Wednesday, the US State Department identified six alleged Iranian officials accused of compromising industrial control systems used by American public utilities.
Offering a $10m reward for information on their identity and whereabouts, the US said the six officials are linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and its Cyber-Electronic Command (IRGC-CEC).
One of the men named was Hamid Reza Lashgarian. head of the IRGC’s cyber-electronic command and a commander in the IRGC-Qods Force.
The suspects have also been linked to the hacking group CyberAv3ngers, which in October, publicly took credit for cyberattacks against Israeli PLCs.
It is part of an ongoing cyber-war launched by Tehran. In February, the US imposed sanctions on the same six individuals for their “deliberate targeting of critical infrastructure.”
A Treasury Department official condemned the attacks as “unconscionable and dangerous,” emphasizing that the US “will not tolerate such actions and will use the full range of our tools and authorities to hold the perpetrators to account.”
In April, the US imposed sanctions on four men and two companies accused of conducting cyber-attacks for the Iranian military. The US Treasury Department said they were involved in "malicious cyber-activity" to the benefit of Iran's Islamic Revolutionary Guards Corps' Cyber-Electronic Command (IRGC-CEC).
Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, said: “Iranian malicious cyber actors continue to target US companies and government entities in a coordinated, multi-pronged campaign intended to destabilize our critical infrastructure and cause harm to our citizens."
State Department spokesman Matthew Miller also said in a statement that Washington “will not tolerate malicious cyber activities victimizing US companies”.
The US Justice Department and FBI simultaneously unsealed an indictment against the four men accusing them of participating in a coordinated hacking initiative starting around 2016 through to April 2021, targeting American firms and crucial government departments.
In June, Microsoft President Brad Smith revealed that the company detects around 300 million cyberattacks targeting its customers daily, with a majority originating from China, Iran, North Korea and Russia.
As Iran steps up its cyber war globally, cybersecurity firm Check Point revealed last month that the Iranian hacker group MuddyWater has expanded its operations to countries such as Azerbaijan, Portugal, Turkey, Saudi Arabia, and India, using newly developed malware.
International organizations, including the US Cybersecurity and Infrastructure Security Agency, have attributed MuddyWater to Iran's ministry of intelligence.
MuddyWater, also known as APT34 and OilRig, has been active for several years, focusing on cyber-espionage against private and governmental organizations in the Middle East and Western countries.