If the internet is a digital Wild West, it’s time to lock your doors and close your windows. While the amount of cyber attackers and activity alone is alarming, in this episode, the featured villain is a hacker group backed by the Iranian government.
In a blog post published Thursday, Google’s Threat Analysis Group, also known as TAG, revealed that it had sent more than 50,000 warnings to users whose accounts had been targeted by government-backed hacker groups carrying out phishing and malware campaigns so far this year. Receiving a warning does not necessarily mean your Google account has been hacked — Google does manage to stop some of the attacks — but rather that the company has identified you as a target.
Google stated that this amounted to a nearly 33% increase when compared to the same time last year and attributed the activity to a large campaign launched by the Russian-sponsored group Fancy Bear, which U.S. and UK security agencies found had been on a worldwide password guessing spree since at least mid-2019, according to a report published in July.
Russia’s not alone though. More than 50 countries have hacker groups working “on any given day,” Google explained.
“We intentionally send these warnings in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track our defence strategies,” Google said. “On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings.”
While that statistic alone is mind-boggling, the company also put a spotlight on APT35, a cyber attacker backed by Iran that has hijacked accounts, deployed malware, and spied on users using “novel techniques” in recent years. In particular, Google highlighted four of the “most notable” APT35 campaigns it’s disrupted in 2021.
One of APT35’s regular activities is phishing for credentials of so-called high-value accounts, or those belonging to people in government, academia, journalism, NGOs, foreign policy, and national security. The group uses a technique in which it compromises a legitimate website and then deploys a phishing kit.
In early 2021, Google said APT35 used this technique to hijack a website affiliated with a UK university. The hackers then wrote emails to users on Gmail, Hotmail, and Yahoo with an invitation link to a fake webinar and even sent second-factor identification codes to targets’ devices.
As you may be able to infer, legitimacy appears to be important to APT35, so it’s no surprise that another one of its trademarks is impersonating conference officials to carry out phishing attacks.
This year, members of APT35 pretended to be representatives from the Munich Security and the Think-20 Italy conferences, which are actually real events. After sending a non-malicious first contact email, APT35 sent users who responded follow-up emails with phishing links.
APT35 has also carried out its evil deeds via apps. In May 2020, it attempted to upload a fake VPN app to the Google Play Store that was in fact spyware and could steal users’ call logs, text messages, contacts, and location data. Google said it detected the app and removed it from the Play Store before anyone installed it but added that APT35 had tried to distribute this spyware on other platforms as recently as July.
The group even misused Telegram for its phishing attacks, leveraging the messaging app’s API to create a bot that notified it when a user loaded one of its phishing pages. This tactic allowed the group to obtain device-based data in real-time of the users on the phishing site, such as IP, useragent, and locales. Google said it had reported the bot to Telegram and that the messaging app had taken steps to remove it.
Hats off to Google for publishing this valuable information — knowledge is power, especially in cybersecurity — but dang is it nerve-racking. Let’s be clear, nobody is entirely safe online, but there are things you can do to reduce the possibilities of being hacked, such as enacting two-factor authentication and using a security key.
You can check out our full guide of safe online practices here, or just, you know, never use anything with a screen ever again. The guide is probably easier. Your call, though.