Google: Biden and Trump campaigns targeted by separate spearphishing campaigns

Google Threat Analysis Group has seen Chinese and Iranian nation-state linked hackers targeting Joe Biden and President Donald Trump’s campaigns.
2020 elections
President Donald Trump speaks at a rally in February. His campaign staff has been targeted with spearphishing emails from Iranian-linked hacker groups. (Flickr/<a href="">Gage Skidmore</a>)

Hackers linked with China and Iran have been sending malicious spearphishing emails to staff on Joe Biden and President Donald Trump’s campaigns respectively, according to a researcher with Google’s Threat Analysis Group.

Chinese government-linked hackers have been targeting Biden’s staffers, whereas Iranian government-linked hackers have been targeting Trump’s campaign, according to Shane Huntley, the Director of Google’s Threat Analysis Group.

There is no evidence that the hacking attempts have resulted in compromises, Huntley said.

This is just the latest warning from security researchers and the U.S. intelligence community that foreign government-backed hackers are interested in targeting various U.S. presidential campaigns during the 2020 election cycle, in what is turning out to be a tumultuous year for American citizens amid economic turmoil, the coronavirus pandemic, and mass protests about racism.


“The Trump campaign has been briefed that foreign actors unsuccessfully attempted to breach the technology of our staff,” the Trump campaign told CyberScoop in a statement. “We are vigilant about cybersecurity and do not discuss any of our precautions.”

“We have known from the beginning of our campaign that we would be subject to such attacks and we are prepared for them,” the Biden campaign said in a statement on the spearphishing.

The Biden campaign is being targeted by a group known as APT31 or Zirconium, a cyber-espionage group that has been known to target telecommunications and technology companies, according to CrowdStrike. APT31 has also targeted NGOs in the past, FireEye Senior Director of Intelligence John Hultquist told CyberScoop.

In the past 45 days, the hacking group has been “very very busy,” according to one Microsoft Threat Intelligence Center analyst.

The Iranian actors targeting Trump’s re-election campaign are known as APT35 or Charming Kitten. That group has targeted accounts associated with the Trump campaign in the past, according to Reuters. Historically, Charming Kitten has been known to target energy, government, and technology sectors, according to MITRE.


In recent months, the group has also targeted cybersecurity researchers that investigate their intrusions, and has previously focused on others with an interest in Iran, such as journalists and activists. Charming Kitten has also been known to go after businesses and government agencies.

It wasn’t clear what the hackers’ ultimate goals were, but like Russian hackers in the 2016 presidential election, these hackers could be interested in conducing cyber-espionage or leaking information.

“Based on the history, it’s important to remember that we may be looking at a scenario like 2016, where there is leaking or some overt effort to engage with the electorate,” Hultquist told CyberScoop. “Campaigns are where policy is born, and most of these actors their primary responsibility is gathering information on foreign policies of their countries’ adversaries. There’s no better place to start than a campaign.”

In previous campaigns the Chinese hackers have moved laterally once inside victim networks, stolen credentials, and continued attacking targets even after remediation, according to CrowdStrike.

“The determination of this China-based adversary is truly impressive: they are like a dog with a bone,” Dmitri Alperovitch, co-founder of CrowdStrike, wrote in a 2015 analysis of the group.


Google has referred the targeting to law enforcement, Huntley said.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts