Iranian hacking group continues to target US citizens

The Google Play Store application as shown on a smartphone display
(Image credit: Shutterstock)

An Iranian hacking group has been targeting US citizens and organizations since 2017 and doesn’t seem to be letting up, according to a new Google report.

Google's Threat Analysis Group said a state-backed Iranian group known as APT35 targeted high-value individuals in the US and elsewhere. The hackers, also known as Charming Kitten, Phosphorus, Ajax Security, and NewsBeef, have attacked high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security since 2017.

APT35 is also one of the groups that tried to disrupt the 2020 US election cycle by targeting campaign staffers.

The group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government, according to Google TAG team member Ajax Bash.

Earlier this year, the hackers compromised a website affiliated with a UK university to host a phishing kit.

“Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices,” said Bash.

Bash added that credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – “as they know it's difficult for users to detect this kind of attack”.

In May 2020, the team discovered that APT35 attempted to upload spyware to the Google Play Store. The app disguised itself as VPN software, but it could steal sensitive information such as call logs, text messages, contacts, and location data from devices if installed.

“Google detected the app quickly and removed it from the Play Store before any users had a chance to install it. Although Play Store users were protected, we are highlighting the app here as TAG has seen APT35 attempt to distribute this spyware on other platforms as recently as July 2021,” said Bash.

Among the most notable attacks by the Iranian hackers was the impersonation of conference officials to conduct phishing attacks. “Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence,” said Bash.


HP Wolf Security: Threat insights report

Equipping security teams with the knowledge to combat emerging threats


The hackers also used Telegram for operator notifications. The attackers embed JavaScript into phishing pages that notify them when the page has been loaded. They use the Telegram API sendMessage function to send the notification, which lets anyone use a Telegram bot to send a message to a public channel.

“The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram, and they have taken action to remove it,” said Bash.

This year, Google has warned over 50,000 account holders they may have been targeted by state-backed attempts to hack them using phishing or malware, a nearly 33% increase from this time in 2020.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.