Foreign cyber actors have a history of low-cost, high-impact operations against U.S. elections. Iran is part of that pattern. It does not need to break vote tallies to shape an outcome. What it needs is access to campaign communications, stolen internal documents, or believable influence narratives. Those are precisely the tools Tehran has used before, and they are the tools every campaign must defend against now.

Background and proven tradecraft

Iranian state-linked actors have repeatedly blended social engineering, credential theft, and online influence to push narratives and intimidate voters. U.S. government reporting and sanctions document a 2020 campaign in which Iranian APT actors scanned state election websites, obtained at least one set of voter registration data, and distributed voter intimidation messages and disinformation (CISA / FBI advisory AA20-304A, Oct. 2020). The Intelligence Community concluded in March 2021 that Iran conducted covert influence and cyber operations around the 2020 election aimed at undermining confidence in the process and harming the reelection prospects of then-President Trump (ODNI, Mar. 16, 2021). The U.S. Treasury later sanctioned Iranian cyber actors accused of attempting to influence the 2020 vote (Treasury press release, Nov. 18, 2021). Independent security researchers and NGOs have also tracked Iran-linked phishing and credential-harvesting campaigns against journalists, researchers, and political targets across multiple years (Human Rights Watch reporting, Dec. 2022).

That pattern matters for 2024. Iran is practiced at

  • reconnaissance at scale: scanning public-facing sites and harvesting exposed documents, then using that intelligence to craft targeted lures;
  • credential theft: credential-phishing and fake login pages to capture passwords and 2FA codes;
  • account compromise for intelligence collection: accessing emails, calendars, cloud drives and contact lists; and
  • hack-and-leak or hack-and-propaganda operations: selectively releasing stolen materials to shape media narratives or to sow confusion and distrust.

All of these are low-cost, high-return activities for a state sponsor that wants to influence perception rather than physically disrupt infrastructure.

What this means for the Trump campaign — and every campaign

As of today there have been public, documented Iranian operations aimed at U.S. election-related targets in prior cycles and ongoing Iranian phishing campaigns against high-profile targets (see sources). That historical behavior makes Iran a credible threat actor to any 2024 presidential campaign, Republican or Democrat. Campaigns are attractive targets because they house time-sensitive intelligence, opposition research, personnel who reuse personal accounts, and volunteers with weak security hygiene. If your campaign treats credential hygiene and account segmentation as optional, you are handing the adversary a cheap in.

Concrete threat scenarios to prepare for

1) Spear-phish through trusted intermediaries. Adversaries will compromise a lower-value, less-protected account (former advisor, vendor, third-party consultant) and use it to send a malicious link or document into an active campaign operation. The initial access vector looks mundane. The effect is not.

2) Compromise of personal email and cloud accounts. Many senior staff use personal accounts for nonpublic logistics. Attackers who harvest a Google or Microsoft account can plunder calendars, contact lists, and documents and then stage selective leaks timed to create maximum political damage.

3) Hack-and-dump tailored to media outlets or influencers. Stolen internal research or vetting memos can be parceled to sympathetic outlets or anonymous accounts to force a campaign to spend days in reactive damage control rather than running operations.

4) Influence sites and social amplification. Beyond direct hacking, Tehran-style operations have used fabricated websites and social networks to amplify polarizing content or to impersonate domestic actors and inflame turnout or doubt.

Hard, practical steps campaigns must take now

1) Assume breach. Operate on the presumption that some accounts will be compromised and design systems to limit blast radius.

2) Enforce enterprise email and lock down personal accounts. Require campaign staff to use managed, enterprise-grade email for all campaign business. Personal accounts must be banned for campaign communications that include strategy, donor data, or opposition research.

3) Mandatory strong authentication. Enforce hardware-based two-factor authentication for every account that touches the campaign (YubiKey-style or equivalent FIDO2 token). Push-button SMS 2FA is not sufficient for senior staff.

4) Harden third-party relationships. Vendors and former advisers are frequent attack vectors. Require security baselines for vendors: MFA, endpoint protection, logging, and the least privilege needed to perform their work.

5) Limit data accumulation and centralize sensitive holdings. Reduce the volume of sensitive documents stored in places that are easily harvested. Centralize only what must be central, encrypt at rest, and audit access logs frequently.

6) Logging, detection, and rapid incident playbooks. Deploy centralized logging and make sure someone watches it 24/7. Define a rapid incident response playbook with pre-authorized contacts at the FBI and CISA and a communications plan that avoids knee-jerk public finger-pointing.

7) Pre-burn exercises and red teams. Test breach scenarios with tabletop exercises. Run red-team phishing campaigns and follow up with mandatory remediation training for staff who fall for simulated lures.

8) Coordinated disclosure policies. Create a protocol for how the campaign will handle stolen information: who reviews it, who talks to journalists, and how to coordinate with law enforcement without amplifying the leak.

9) Vet media outreach. Train communications staff to treat unsolicited documents and anonymous emails as likely hostile. Verify with independent channels and avoid replying to unknown senders.

10) Public-private engagement. Share indicators of compromise with CISA and the FBI and accept assistance. Public-private intelligence sharing reduces the adversary’s window of operation.

Final assessment

Iran has demonstrated the capability and intent to run influence operations tied to U.S. elections. The tools it uses are not exotic: phishing, credential harvesting, account compromise, and fake news sites. Those same tools are the cheapest ways to extract intelligence or produce political disruption. For any campaign, the ask is simple and unromantic: treat security like campaign operations, not an afterthought. Lock down accounts, segment access, assume breach, and practice your response. The cost of doing these basics is small compared with the political and operational price of being reactive when a hostile actor starts parceling out stolen materials to the press and to social amplifiers. If you want to win in 2024, do not give adversaries cheap wins.