Iranian hacking group continues to target US citizens
APT35 used phishing attacks and uploaded spyware onto Google Play Store
Google's Threat Analysis Group said a state-backed Iranian group known as APT35 targeted high-value individuals in the US and elsewhere. The hackers, also known as Charming Kitten, Phosphorus, Ajax Security, and NewsBeef, have attacked high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security since 2017.
APT35 is also one of the groups that tried to disrupt the 2020 US election cycle by targeting campaign staffers.
The group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government, according to Google TAG team member Ajax Bash.
Earlier this year, the hackers compromised a website affiliated with a UK university to host a phishing kit.
“Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices,” said Bash.
Bash added that credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – “as they know it's difficult for users to detect this kind of attack”.
In May 2020, the team discovered that APT35 attempted to upload spyware to the Google Play Store. The app disguised itself as VPN software, but it could steal sensitive information such as call logs, text messages, contacts, and location data from devices if installed.
“Google detected the app quickly and removed it from the Play Store before any users had a chance to install it. Although Play Store users were protected, we are highlighting the app here as TAG has seen APT35 attempt to distribute this spyware on other platforms as recently as July 2021,” said Bash.
Among the most notable attacks by the Iranian hackers was the impersonation of conference officials to conduct phishing attacks. “Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence,” said Bash.
HP Wolf Security: Threat insights report
Equipping security teams with the knowledge to combat emerging threatsFree download
“The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram, and they have taken action to remove it,” said Bash.
This year, Google has warned over 50,000 account holders they may have been targeted by state-backed attempts to hack them using phishing or malware, a nearly 33% increase from this time in 2020.
Shining light on new 'cool' cloud technologies and their drawbacks
IONOS Cloud Up! Summit, Cloud Technology Session with Russell BarleyWatch now
Build mobile and web apps faster
Three proven tips to accelerate modern app developmentFree download
Reduce the carbon footprint of IT operations up to 88%
A carbon reduction opportunityFree Download
Comparing serverless and server-based technologies
Determining the total cost of ownershipFree download