15 October 2021

Google says it tracks over 270 state-backed threat actors from over 50 countries


Google says it tracks over 270 state-backed threat actors from over 50 countries

The Google Threat Analysis Group (TAG) said that it is tracking more than 270 government-backed hacker groups from over 50 countries, involved in disinformation campaigns, cyber-espionage, or financially motivated cybercrime.

In a new blog post TAG’s Ajax Bash revealed that so far in 2021 the team sent over 50,000 warnings of state-sponsored phishing or malware attempts to customers. This marks a 33% increase from the same period in 2020, largely due to blocking “an unusually large campaign” from a Russia-linked threat actor known as APT28 or Fancy Bear.

One of the most notable campaigns disrupted by TAG this year was orchestrated by Iranian threat actor APT35 (aka Charming Kitten, Phosphorous, or Newscaster), known for its phishing attacks targeting high risk users.

Some previous attacks of the group involved the use of compromised websites to host a phishing kit that allowed them to collect credentials for platforms such as Gmail, Hotmail, and Yahoo, as well as a malicious VPN app uploaded to the Google Play Store that, when installed, could be leveraged to steal sensitive information such as call logs, text messages, contacts, and location data from the infected devices.

The group also adopted a novel technique that uses Telegram for operator notifications.

“The attackers embed javascript into phishing pages that notify them when the page has been loaded. To send the notification, they use the Telegram API sendMessage function, which lets anyone use a Telegram bot to send a message to a public channel. The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram and they have taken action to remove it,” TAG explained.

“For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government,” Bash said.


Back to the list

Latest Posts

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Dropped countries include such countries as Morocco, Mexico, Saudi Arabia, or the UAE.
26 November 2021
CronRAT: New Linux malware that hides behind February 31 to stay undetected

CronRAT: New Linux malware that hides behind February 31 to stay undetected

The malware hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.
26 November 2021
New malware campaign targets crypto, NFT and DeFi communities via Discord

New malware campaign targets crypto, NFT and DeFi communities via Discord

The Babadeda crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing RATs, and LockBit ransomware.
26 November 2021