Iran-linked hackers breach FBI director’s personal email, publish photos and documents

FBI director email compromised: Iran hackers release personal photos and documents

Muhammad Asghar | GlobalBeat

Hackers linked to Iran breached FBI Director Sean McCrae’s personal email and published private photos and documents on Saturday.

The stolen materials appeared on the Telegram account “IRLeaks” at 9:15 a.m. ET, according to FBI officials.

McRae became FBI director in 2023. The breach exposes sensitive personal data of America’s top law enforcement official amid heightened tensions with Tehran.

The FBI confirmed the hack in a statement Sunday. “We are aware of unauthorized access to a personal email account belonging to Director McRae,” spokesperson Laura Eimiller said. “The FBI is working with interagency partners to investigate this incident.”

IRLeaks posted 27 images and 12 documents totaling 43 megabytes. The files include family vacation photos, boarding passes, and what appears to be a draft resignation letter from 2024, according to cybersecurity researchers who reviewed the materials.

The FBI Cyber Division traced the intrusion to IP addresses previously used by APT42, an Iranian hacking group also known as “Charming Kitten,” according to a senior FBI official who requested anonymity. The group has targeted U.S. officials since 2014.

IRLeaks claimed responsibility in Farsi and English. “American spy chief thinks his personal life is secret. We show otherwise,” the post read. The account has 14,700 subscribers.

McRae’s staff discovered the breach Friday when colleagues received suspicious emails from his personal account, the FBI official said. The director immediately notified FBI security teams and changed all passwords.

The White House received initial briefing Friday evening, according to National Security Council spokesperson John Kirby. President Biden was informed Saturday morning. “We take this breach extremely seriously,” Kirby told reporters.

Iran’s Permanent Mission to the United Nations did not respond to requests for comment Sunday.

APT42 typically uses spear-phishing emails that mimic legitimate services like Gmail or LinkedIn, according to Mandiant researcher Sarah Jones. Victims click links to fake login pages that steal credentials.

The group previously breached accounts belonging to former CIA officers and State Department officials, according to court documents from 2021.

National Security Advisor Jake Sullivan convened an emergency meeting Saturday with FBI, NSA, and CIA officials. “We are treating this as a significant security incident,” Sullivan said in a statement. Measures have been taken to secure Director McRae’s communications and protect other senior officials.

The breach raises questions about security protocols for top U.S. officials. FBI directors typically receive enhanced cybersecurity protections, but these apply to government accounts. Personal email remains vulnerable.

Former FBI Director James Comey faced similar risks. “Every senior official is a target,” Comey told CNN Sunday. “The lesson is keep nothing private on personal devices.”

Intelligence officials worry Tehran could use stolen personal data for blackmail or to identify intelligence sources, according to three former CIA officers who spoke to Reuters.

The incident complicates already strained U.S.-Iran relations. Washington and Tehran held indirect talks last month about Iran’s nuclear program. Those discussions now face further obstacles, according to Western diplomats.

The breach follows a pattern of Iranian cyber operations against U.S. targets. In 2022, APT42 hacked a U.S. congressional campaign and women’s rights activists, according to Microsoft security researchers.

Background

Iranian hackers have targeted U.S. officials for over a decade. The Islamic Revolutionary Guard Corps trains and funds cyber units that conduct espionage and information warfare against American interests.

APT42 emerged around 2014 and focuses on espionage rather than financial theft. The group typically seeks political and military intelligence that could benefit Iranian foreign policy objectives.

U.S. prosecutors charged two Iranian hackers in 2021 for targeting current and former U.S. intelligence officials. The Treasury Department sanctioned Iranian entities for cyber operations in 2019 and 2022.

What’s Next

The FBI must brief congressional intelligence committees within 10 days under federal notification requirements. The Justice Department Inspector General will investigate whether McRae followed security protocols for personal devices. Iran faces potential U.S. cyber retaliation, according to former officials.

The FBI director will testify before Congress next month about the bureau’s cybersecurity budget. Lawmakers will likely question him about this breach and protections for other senior officials as tensions with Tehran continue escalating.