Google says its Threat Analysis Group of cybersecurity researchers is tracking new activity of an Iranian hacking group that uses novel techniques to steal credentials of high value targets in government and other related sectors.
In a new blog, Google says it has sent over 50,000 security warnings to its customers this year, an increase of nearly a third, which it attributes to state-backed actions of Russia and Iran. However, the company singled out one Iranian threat actor, which it calls APT35.
Google calls APT35 an Iranian hacking group that targets high-risk users in adversary countries with phishing campaigns. One notable example was targeting of campaign staffers during the 2020 U.S. election cycle.
“For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government,” Google’s TAG said in a blog.
Other actions the group has taken this year include compromising a website affiliated with a UK university, which was used to host a phishing kit. The group sent email messages with links to this website to harvest credentials for services like Gmail, Hotmail and Yahoo, instructing users to activate an invitation to a fake webinar by logging in.
Read Next: The U.S. Government Is Getting Serious About Nation State Cybercrime
According to Google, the hackers attempted to bypass multi-factor authentication methods by having the phishing kit ask for second-factor authentication codes sent to devices,
Credential phishing through a compromised website demonstrates the lengths to which the attackers will go to appear legitimate, Google’s security team says.
The threat actors also attempted to upload a spyware app disguised as a VPN to the Google Play Store that could steal data from smartphones, including call logs, texts, contacts and location data. However, Google detected and removed the app before it was installed by any users.
APT35 also impersonate high-level conference officials to convince users to respond. After the first response, attackers send phishing links.
The group also uses Telegram for operator notifications, embedding javascript into phishing pages that notify them when the page has been loaded. To send notifications, the attackers use the Telegram API sendMessage function, which lets anyone use a Telegram not to send a message to a public channel, according to Google.
“The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time,” according to Google. “We reported the bot to Telegram and they have taken action to remove it.”
Users are urged to enable multi-factor authentication and enroll in Google’s Advanced Protection Program.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply