author photo
By Clare O’Gara
Fri | Jun 5, 2020 | 5:30 AM PDT

Chances are, the concept of "a foreign government interfering in an American election" sounds pretty commonplace to you.

Not that this reality is a good thing. But over the last four years, it has started to feel like the norm.

And according to Google, it's happening again in 2020.

APT groups target Trump and Biden campaigns

With an acronym like TAG, you might expect a lighthearted, playful Google group running in a field.

But Google's Threat Analysis Group (TAG) is anything but. This specialized team hunts down major cybersecurity threats, including tracking nation-state hacking groups.

And according to Shane Huntley, Head of TAG, the team recently uncovered some vital security intel regarding the 2020 U.S. presidential election:


Huntley explains that the group recently:

"...saw China APT group targeting Biden campaign staff & Iran APT targeting Trump campaign staff with phishing. No sign of compromise. We sent users our govt attack warning and we referred to fed law enforcement."

The APT groups in question, he says, are APT31 and APT35.

These are the two groups and the nation-states they are attached to:

  • APT31: Also known as Zirconium or Hurricane Panda, APT31 is a Chinese state-sponsored hacking group active since 2016. Its focus is intellectual property theft.
  • APT35: Otherwise known as Newscaster or Charming Kitten, APT35 is an Iranian cyber-espionage group sponsored by the Iranian government. Around since 2014, this group tends to target U.S. and Middle Eastern militaries, diplomatic and government personnel, organizations in the media, energy and defense industrial bases (DIB), and the engineering, business services, and telecommunications sectors.

Phishing is central to both the Biden and Trump campaign attacks, which is a typical tactic for nation-state attacks against political campaigns.

When SecureWorld covered Russia's hack of the DNC, we noted that Russia used similar tactics in 2016. In fact, phishing was integral to the first three steps of the hack:

  1. The start, March 2016: The Russians spearphished Clinton Campaign Chairman John Podesta by sending him a spoofed "security notification from Google" to click a link and update his password.
  2. That email used a URL shortener to mask the actual link and hide where it would take Podesta.
  3. Podesta followed the link and entered his username and password, which allowed Russians access to his email account that "consisted of over 50,000 emails."

Nation-state hackers targeting 2020 political campaigns

It's clear that foreign interference in elections and campaigns is rapidly becoming a mainstay in American politics.

Charles Ragland, security engineer at Digital Shadows, says this trend is continuing from previous election cycles:

"As we have seen in recent history, APT groups targeting political campaigns is nothing new. These groups may be looking to use information that they obtain to sow discord in the country of the ongoing campaign. They may also use it for more traditional intelligence collection to inform other actions. As more and more communication is done online, this trend is likely to continue."

But Google's TAG team did offer a few recommendations in a recent blogpost about these attacks:

"Our ​improving ​technology has enabled ​us to ​significantly ​decrease ​the ​volume ​of ​phishing ​emails that ​get ​through to our users. ​ Automated ​protections, ​account ​security ​(like ​security ​keys), ​and specialized ​warnings give ​Gmail users industry-leading ​security."

Microsoft has been increasing its Outlook security controls, as well.

This story serves as a reminder for all organizations that nation-state hackers continue to search the U.S. and the world for both proprietary and sensitive data.