Mint Sandstorm, the suspected Iranian state hackers who stole a trove of emails from several of former President Donald Trump’s campaign staffers this spring, reportedly succeeded in getting some of the pilfered documents published this fall, Reuters reported Friday.
Reuters reported that Democrat operatives and an independent reporter published some of the emails beginning late last month, after Reuters and several other mainstream media outlets passed on them.
Mint Sandstorm, also known as “Phosphorus” or Advanced Persistent Threat (APT) 42 to cybersecurity researchers, is a hacking group that targets Iranian dissidents, journalists, academic institutions, and government agencies in countries that oppose the Iranian regime, including the United States and Israel.
The group, which is thought to be linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), has been known to use computer viruses, ransomware, and phishing techniques in its attacks.
In January 2024, Microsoft security researchers detected a major Mint Sandstorm campaign against research institutions and universities focused on Middle Eastern issues.
Microsoft Threat Intelligence described the hackers as “patient and highly skilled social engineers” who invested a great deal of effort in crafting realistic phishing emails, often contriving a means to send them from “legitimate accounts belonging to known people who the group’s victims would be familiar with and likely trust.”
Phishing is the art of using fake emails to trick victims into revealing passwords and other security information, or installing viral code on their computers. Mint Sandstorm was unusually patient and methodical with its phishing campaign against universities, often sending its victims a few harmless fake emails to build trust before hitting them with a phishing attack. Their preferred phishing technique was to trick their victims into downloading a file that would give the hackers backdoor access into their computer systems.
Between May and June of 2024, Mint Sandstorm evidently waged a similar campaign against staffers with Trump’s campaign. The hackers stole data from the email accounts of these staffers, including some documents involved in vetting his running mate, Sen. JD Vance (R-OH), along with other potential running mates Sen. Marco Rubio (R-FL) and North Dakota Gov. Doug Burgum (R-ND).
The Department of Justice (DOJ) confirmed the attack in September and promised to file criminal charges against the perpetrators. Three Iranian nationals named Masoud Jalili, Seeyed Ali Aghamiri, and Yasar Balaghi were indicted on 18 criminal counts in late September, including wire fraud, identity theft, and providing material support to the IRGC, which is a designated terrorist organization.
According to the indictment, the three hackers worked for the Basij, a brutal Iranian militia overseen by the IRGC.
When announcing the indictments, Attorney General Merrick Garland said the hackers attempted to pass some of their stolen material to the re-election campaign of President Joe Biden, who was replaced as the 2024 Democrat candidate by Vice President Kamala Harris in July. A Harris spokesperson claimed her campaign refused to use stolen Trump material that was sent to it and claimed hackers targeted several of her staffers, as well.
“We condemn in the strongest terms any effort by foreign actors to interfere in U.S. elections including this unwelcome and unacceptable malicious activity,” Harris spokesperson Morgan Finkelstein said in September.
The hackers also reportedly tried to peddle their wares to Democrat-aligned major media outlets in July, including Reuters, Politico, the Washington Post, and the New York Times. The hackers assured these outlets their stolen email data would be highly damaging to the Trump campaign.
All of these outlets said they refused to accept the material, either because they did not want to do business with hackers or because the material they offered was not “newsworthy” enough. Reuters reported the hackers’ email addresses to Yahoo, which shuttered the email accounts and worked with the FBI to track the hackers down.
The Iranian hackers finally found takers for their material in a North Carolina-based group of Democrat operatives called American Muckrakers, according to Reuters, which began publishing the stolen Trump campaign emails on September 26. The group, which has a history of trying to dig up dirt on Republican candidates, reportedly pleaded with an alias used by the terrorist-linked hackers to send them more files.
American Muckrakers refused to disclose more information about its source for the emails, or to comment on if the FBI warned it not to accept material from the hackers.
Some of Mint Sandstorm’s stolen documents were also published by an independent reporter named Ken Klipperstein, who said the FBI did contact him after he communicated with the hackers, warning him not to deal with a “foreign malign influence operation.” Klipperstein published the emails anyway, deeming them “newsworthy.”
The Iranian mission to the United Nations issued a statement on Wednesday denying any attempt to influence the outcome of the U.S. presidential election.
“Already devoid of any credibility and legitimacy, such allegations are fundamentally unfounded, and wholly inadmissible. The Islamic Republic of Iran does not engage in the internal uproars or electoral controversies of the United States,” the statement said.
“The continued perpetuation of such unfounded claims will only serve to undermine their credibility,” the statement added.