ClickCease US Elections: Iranian Hackers Target Political Campaigns - TuxCare

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

US Elections: Iranian Hackers Target Political Campaigns

by Wajahat Raja

September 12, 2024 - TuxCare expert team

With elections, there have always been accusations of rigging and corruption and it’s possible that such claims may hold some truth in different countries worldwide. However, the US elections have recently been subjected to the influence of cybercrime.

Such a scenario is the result of Iranian hackers targeting political campaigns that may influence the US elections. In this article, we’ll dive into details of the target initiative and see what the Iranian cyber espionage is all about.

US Elections Under Threat

As per recent media reports, cyber security experts have linked Iranian hackers to setting up a new infrastructure used for support activities related to political campaigns. Experts at Inskit Group have linked these hackers to the threat actor cluster being referred to as the GreenChaelie hacking group. GreenCharlie is an Iran-nexus threat actor group overlapping with:

  • APT42.
  • Charming Kitten.
  • Damselfly.
  • Mint Sandstorm.
  • TA453, and Yellow Garuda.

The cybersecurity company, providing insights pertaining to the group’s infrastructure, stated that:

“The group’s infrastructure is meticulously crafted, utilizing dynamic DNS (DDNS) providers like Dynu, DNSEXIT, and Vitalwerks to register domains used in phishing attacks. These domains often employ deceptive themes related to cloud services, file sharing, and document visualization to lure targets into revealing sensitive information or downloading malicious files.”

GreenCharile Hacking Group Track Record

It’s worth mentioning here that the adversary is known for staging phishing attacks that are highly targeted. Such attacks leverage social engineering techniques that aid in infecting users’ systems with malware. Two common examples of such malware include POWERSTART and GORBLE.

Malware such as GORBLE, TAMECAR, and POWERSTART are known to be variants that belong to the same malware family. These payloads are a series of PowerShell implants that are continuously evolving and have been deployed by the GreenCharlie hacking group in recent years.

In addition, BlackSmith, another variant pertaining to the malware family, was also used to target a prominent Jewish figure in July 2024 via a spear-phishing campaign.

DDNS Phishing Infrastructure

The infection process of cyber attacks allegedly threatening the US elections is one that’s categorized to be among multiple stages.

Initially, it involves acquiring access through phishing techniques. Once the access has been acquired, follow-up communications with the command-and-control (C2) servers are developed. Afterward, either the data is exfiltrated or additional payloads are delivered.

Apart from this, the threat actor had registered a large number of DDNS domains since May 2024. In addition, communication between Iran-based IP addresses, 38.180.146[.]194 and 38.180.146[.]174, and the GreenCharile hacking group’s infrastructure during July and August 2024 was also identified.

It’s worth noting that a link between the GreenCharlie clusters and C2 servers used by GROBLE has also been identified. Operations pertaining to the link are said to be facilitated by Proton VPN or Proton Mail. Commenting on the group’s phishing tactics that could threaten the US elections, Recorded Future, a cybersecurity company, said:

“GreenCharlie’s phishing operations are highly targeted, often employing social engineering techniques that exploit current events and political tensions.” 

Conclusion

The threat posed by the GreenCharlie hacking group highlights the evolving landscape of cyber warfare, where foreign adversaries target key political events to influence outcomes. This ongoing digital assault underscores the urgent need for robust cybersecurity measures to safeguard democratic processes and protect the integrity of future US elections.

The sources for this piece include articles in The Hacker News and CYPRO.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!