Iran’s Islamic Revolutionary Guard Corps is the driving force behind a sophisticated, multi-pronged effort to digitally disrupt the U.S. election, according to cybersecurity professionals.

These cyber professionals say the IRGC is relying on groups of high-level hackers specializing in deceptive and covert operations to hack into campaigns and swing-state governments, with the goal of spreading propaganda and tricking American voters.

The U.S. intelligence community issued a rare alert on Monday saying Iranian cyberattackers sought to pry inside presidential campaigns of both major American political parties and were responsible for efforts to penetrate former President Donald Trump’s team. Iran has denied any wrongdoing and said the U.S. government must provide evidence for its allegations.

---

---

“The Islamic Republic of Iran harbors neither the intention nor the motive to interfere with the U.S. presidential election,” Iran’s Mission to the United Nations said in an email. “Should the U.S. government genuinely believe in the validity of its claims, it should furnish us with the pertinent evidence — if any — to which we will respond accordingly.”

But American technology companies have compiled extensive data documenting the alleged Iranian hackers’ attempted cyberattacks.

To hack into campaigns themselves, Iran is relying on attackers alternatively identified as Mint Sandstorm, Charming Kitten, APT35 and APT42, cybersecurity professionals say.

The targeting of swing state governments is the purview of hackers referred to as Peach Sandstorm, Refined Kitten, and APT33.

And efforts to misinform American voters are the task of the International Union of Virtual Media and another group called Storm-2035, analysts say.

Membership in these groups changes often, according to Chuck Freilich, senior researcher at Israel’s Institute for National Security Studies. He wrote earlier this year that the shifting associations help blur the lines and camouflage operations.

“The Basij, a paramilitary force under the [IRGC] and that is responsible for domestic order, claims to have 1,000 cyber battalions around the country,” he wrote. “The Basij outsources cyberattacks to some 50 different hacktivist groups, which operate independently, compete for contracts, and have their own modus operandi and targets.”

The web of cyberattackers

Hackers that cybersecurity companies track as various “kittens” are among the groups competing for business, according to Mr. Freilich, former deputy national security adviser in Israel.

The cyberattacking group Charming Kitten is identified as Mint Sandstorm by Microsoft, which assesses the group is run by the IRGC’s intelligence unit.

The tech company said in an August report that the hackers targeted a high-ranking official of a presidential campaign in June using a compromised account of a former senior adviser.

Microsoft did not identify the targeted victim, but the Trump campaign subsequently said that it was hacked, its internal documents leaked to U.S. media outlets, and that Iran played a role. Microsoft declined to comment for this article.

While Mint Sandstorm attempted to use a former adviser’s email to penetrate a campaign this time around, in other instances they have disguised themselves as journalists, according to cybersecurity firm Hive Pro, which has offices in Virginia, India, and the United Arab Emirates.

“We have seen as a trend that all the emails which they send introduce themselves as journalists and then from there onwards, they proceed,” said Purvi Garg, head of products at Hive Pro. “This is the trend that we have seen. Not necessarily that all their emails are specific to that but most of them are related to this.”

Microsoft said Mint Sandstorm has been active since at least 2013, and the company said in January that Google’s Mandiant division refers to the group as APT42.

Google’s Threat Analysis Group said last week it disrupted APT42’s attempts to hack into Mr. Trump and President Biden’s campaigns in May and June. The effort took place before Mr. Biden stepped aside as the Democratic presidential nominee in favor of Vice President Kamala Harris. The APT42 attack targeted “roughly a dozen individuals,” Google said, connecting the malicious cyber activity directly to the IRGC.

Target: Swing states

Iranian hackers are not exclusively interested in the major candidates’ campaigns. Microsoft has observed Peach Sandstorm targeting swing states.

Microsoft links Peach Sandstorm, also known as Refined Kitten and APT33, to the IRGC and said it observed the group compromising a “user account with minimal access permissions at a county-level government in a swing state.”

“Since early 2023, Peach Sandstorm’s operations have focused on strategic intelligence collection …with some targeting of U.S. government organizations, often in swing states,” Microsoft said in its August report.

Establishing clear links between hackers and governments is difficult.

For example, a Mandiant team in 2017 said it discovered the user “xman_1365_x” looked to be involved in the development and use of a technical backdoor created by APT33. Mandiant said the user had ties to the Nasr Institute, which is controlled by Iran and previously launched attacks against the financial industry.

Information-sharing between cybersecurity professionals also helps assemble the clues into meaningful digital forensics.

Ms. Garg said Hive Pro collects data, scours the dark web, and has an internal team validating information. She said Hive Pro checks with other companies, such as Microsoft, to cross-reference its information.

Hive Pro isn’t the only one. OpenAI said last week that information from Microsoft helped its investigation into an Iranian influence network using its popular chatbot ChatGPT.

“We identified and took down a cluster of ChatGPT accounts that were generating content for a covert Iranian influence operation identified as Storm-2035,” OpenAI said on its website. “We have banned these accounts from using our services, and we continue to monitor for any further attempts to violate our policies.”

The Iranian influence effort created long-form articles for websites posing as liberal and conservative news outlets and generated content for social media under a similar disguise. The content covered a variety of items, with topics including the U.S. presidential election, the conflict in Gaza, and Israel’s presence at the Olympics.

Other cybersecurity firms have spotted Iran’s covert social media influence efforts. Recorded Future said it observed a covert social media campaign affiliated with Iran’s International Union of Virtual Media.

Sean Minor, who investigates influence operations for Recorded Future, said during an August webinar that IUVM was responsible for a digital campaign to make voters think the attempted assassination of Mr. Trump was fiction.

The U.S. Treasury Department sanctioned IUVM in October 2020 for previous efforts to influence elections. The department said then that the IUVM was controlled by the IRGC’s Quds Force.

Exposure of Iran’s covert influence efforts is not likely sufficient to stop their agenda. U.S. intelligence officials have branded Iran a “chaos agent” in the upcoming election in contrast to other foreign adversaries such as China, which appears far more cautious and calculating.

Hacking operations and anti-American propaganda are unlikely to be the only items on Iran’s menu for digitally disrupting the U.S. elections.

Last month, the FBI and the Cybersecurity and Infrastructure Security Agency warned of potential Distributed Denial of Service attacks overwhelming election-related websites with traffic as the November contest approaches.