Three Iranian nationals have been indicted for hacking into the campaign of former President Donald Trump, stealing emails and documents, and then sharing them with the news media, according to U.S. officials and a federal indictment filed in Washington on Friday.
The three Iranians, identified as members of Iran's Islamic Revolutionary Guard Corps, allegedly hired "malicious cyber actors" to hack into the campaign of an unidentified presidential candidate in May and stole documents from it.
U.S. officials have privately said that Trump's campaign was the victim of the attack.
The indictment said that the personal email accounts of a former deputy director of the CIA, a former Defense Department official and an individual who appears to be longtime Trump adviser Roger Stone were also hacked.
"The American people, not a foreign power, decide the outcome of our country’s elections," Attorney General Merrick Garland said. "Not Iran and its malicious cyber activities, as laid bare in today’s indictment."
The hackers created fake email accounts where they impersonated current and former U.S. officials, and other publicly known organizations and individuals. They then conducted spear-phishing attacks that duped individuals associated with the Trump campaign into opening emails that contained malware.
In June, the hackers emailed the stolen material from Trump’s campaign to people associated with the campaign of then-candidate President Joe Biden. The FBI and other U.S. officials have said there was “currently no information” indicating that the recipients had responded to the emails.
The three Islamic Revolutionary Guard Corps members who oversaw the operation were identified in the indictment as Masoud Jalili, Seyyed Ali Aghamiri and Yasar Balaghi. They were charged with material support for terrorism, computer fraud, wire fraud and identity theft.
Iran has denied the accusations. Its ambassador to the United Nations called them “entirely baseless, lacking any credibility and legitimacy” and “in no way acceptable,” the semi-official Fars News Agency reported earlier this month.
The hack against the Trump campaign is the latest example of an increasingly brazen approach by Iran that includes alleged murder plots against dissidents and defectors on American soil and an assassination threat against Trump, U.S. officials and analysts say.
Garland said that Russia and China are attempting to sway the U.S. election as well. U.S. officials have said that, broadly speaking, Russia is trying to aid Trump’s effort to win reelection, Iran is trying to damage Trump, and China is trying to influence state and local races in ways that benefit Beijing.
Earlier this week, Matthew Olsen, the head of the department’s National Security Division, said in an exclusive interview with NBC News that the level of foreign interference in the current election is unprecedented. Olsen said that Iran, Russia and China are all trying to influence the election.
"Let me just be as clear as I possibly can be, this is not a hoax. It’s actually happening," Olsen said. "Russians, Iranians, the Chinese, they are seeking to interfere in our elections in ways that fundamentally undermine our democracy."
Olsen said the three countries — all ruled by authoritarian leaders — are seeking the same broad goals: exacerbating divisions between Americans and undermining U.S. voters' trust in the election results and American democracy itself.
"Foreign governments are seeking to undermine our country, undermine our democracy, undermine our national security," Olsen said. "They’re seeking to promote their own authoritarian goals by sowing discord within our country and undermining our confidence in our elections."
A senior U.S. official told NBC News on Friday that no evidence has been found that Iran, Russia and China are directly coordinating their election influence efforts.
On a press call Friday, an FBI official declined to definitively state that the hackers had been fully cleared from the Trump campaign or unable to regain access. “When it comes to advanced persistent threat actors, you can never be fully confident that you have eradicated them from an environment. So we remain fully engaged with the victims in this case, which include presidential campaigns as well as individuals associated with those campaigns.”
First publication of stolen documents
On Thursday, an American journalist who runs an independent newsletter published a document that appears to have been stolen from Trump’s presidential campaign. It was the first public posting of a file believed to be part of the Iranian effort to manipulate the U.S. election.
The PDF document is a 271-page opposition research file on Trump’s running mate, Sen. JD Vance, R-Ohio.
For more than two months, hackers who stole the documents tried to persuade members of the American media to write about or publish the files they stole. No outlets did.
On Thursday, reporter Ken Klippenstein, who self-publishes on Substack after he left The Intercept this year, published one of the files.
“If the document had been hacked by some ‘anonymous’ like hacker group, the news media would be all over it,” Klippenstein wrote. “I’m just not a believer of the news media as an arm of the government, doing its work combating foreign influence. Nor should it be a gatekeeper of what the public should know.”
Reporters who have received the documents describe the same pattern: An AOL account emails them files, signed by a person using the name “Robert,” who is reluctant to speak about their identity or reasons for wanting the documents to receive coverage.
NBC News was not part of the Robert persona’s direct outreach, but it has viewed its correspondence with a reporter at another publication.
One of the emails from the Robert persona previously viewed by NBC News included three large PDF files, each corresponding to Trump’s three reported finalists for vice president. The Vance file appears to be the one Klippenstein hosts on his site.
John Hultquist, a lead analyst at Google’s Threat Intelligence Group, said the IRGC controls “multiple contractors who have carried out many of the most audacious cyber incidents we have seen in the Middle East, Europe, and the U.S., including activity during this and previous presidential election cycles.”
“IRGC actors regularly leverage destructive attacks, faked content … They regularly assume the guise of hacktivists or criminals and have increasingly targeted random individuals through email and even text messages … Most of this activity is designed to undermine trust in security, and is used to attack confidence in elections in particular.”
Russia's effort to aid Trump
Earlier this month, Justice Department prosecutors indicted two RT employees, Konstantin Kalashnikov and Elena Afanasyeva, and accused them of using a Tennessee-based company as part of “covert projects” to influence American politics by posting videos to TikTok, Instagram, X and YouTube.
The RT employees sent millions of dollars to prominent right-wing commentators through a media company that appears to match the description of Tenet Media, a leading platform for pro-Trump voices, according to an NBC News review of charging documents, business records and social media profiles.
Tenet posted nearly 2,000 videos that got more than 16 million views on YouTube since November 2023, according to the indictment.
It is not clear, though, what impact the foreign influence operations are having on American voters. Tenet was competing for attention in an oversaturated online space and among an electorate that, after years of consuming hyper-polarized content online, tends to seek and be served information that reinforces preexisting beliefs.
Justice Department officials said the threat of foreign interference remains serious and vowed to continue investigating foreign government actions related to the 2024 election. Olsen urged Americans to be skeptical of unvetted information.