Iranian hackers tied to recent U.S. presidential campaign cyberattacks abuse services like Google Workspace, Dropbox and OneDrive, says Google in a new cybersecurity report.

Google’s Theat Analysis Group found an Iranian government-backed hacking group, known as APT42, has conducted phishing cyberattacks targeting “accounts associated with the U.S. presidential election.”

“In May and June, APT42 targets included the personal email accounts of roughly a dozen individuals affiliated with President Biden and with former President Trump, including current and former officials in the U.S. government and individuals associated with the respective campaigns,” said Google in a new cybersecurity report.

“We blocked numerous APT42 attempts to log in to the personal email accounts of targeted individuals,” the report added.

[Related: The 10 Biggest Google Cloud News Stories Of 2024: AI, Failed Acquisitions And Historic Sales Growth]

APT42 generally tries to abuse services like Google Workspace—which includes Google Drive, Gmail, Sites and others—as well Dropbox and OneDrive, according to Google’s Theat Analysis Group (TAG).

TAG has detected and disrupted a “small but steady cadence” of APT42’s credential phishing attacks targeting U.S. presidential campaigns.

APT42 Tries To Abuse Google Workspace, Dropbox And OneDrive

APT42 uses a variety of different tactics as part of its email phishing campaigns, including hosting malware, phishing pages and malicious redirects.

“One campaign involved a phishing lure featuring an attacker-controlled Google Sites link that would direct the target to a fake Google Meet landing page. Other lures included OneDrive, Dropbox and Skype,” said TAG.

“Over the last six months, we have systematically disrupted these attackers’ ability to abuse Google Sites in more than 50 similar campaigns,” the report added.

APT42 is associated with Iran’s Islamic Revolutionary Guard Corps, which consistently targets high-profile users in Israel and the U.S., including current and former government officials, political campaigns, diplomats, individuals who work at think tanks, as well as academic institutions that contribute to foreign policy conversations.

Trump Campaign Confirms Hack

Last week, former President Donald Trump’s campaign confirmed that some of its internal communications had been hacked. The campaign blamed foreign sources hostile to the U.S.

Google’s TAG report does not confirm that APT42 was behind the Trump campaign hack.

In TAG’s report, it said that APT42 has successfully breached accounts across multiple email providers related to the U.S. presidential election.

“We observed that the group successfully gained access to the personal Gmail account of a high-profile political consultant,” said Google’s TAG. “We proactively referred this malicious activity to law enforcement in early July and we are continuing to cooperate with them.”

Iranian Hackers Continue Cyberattacks On U.S. Election

Today, TAG said it continues to observe unsuccessful attempts from APT42 to compromise the personal accounts of individuals affiliated with President Biden, Vice President Harris and former President Trump.

The attacks are targeting current and former government officials and individuals associated with the campaigns.

Over the past several days, three news outlets—Politico, The Washington Post and The New York Times—said they received emails with what appeared to be Trump campaign files in a leak operation.

“In the past six months, the U.S. and Israel accounted for roughly 60 percent of APT42’s known geographic targeting, including the likes of former senior Israeli military officials and individuals affiliated with both U.S. presidential campaigns,” said Google.

Google’s TAG tracks and works to disrupt more than 270 government-backed attacker groups from more than 50 countries.