For some years now, Google has been issuing direct personal warnings to users that appear to have been targeted by a state-sponsored hacking group. The company has taken the unusual step of issuing a general public warning about one of these groups via its blog, due to a large-scale campaign targeting academics and international conference attendees.
Google warns that Advanced Persistent Threat Group 35 (APT35), thought to be associated with Iranian governments, has been active with phishing emails targeting specific groups as well as the placement of spyware apps on the Google Play Store.
Iranian state-sponsored hacking group’s flurry of activity prompts Google warning
Google’s Threat Analysis Group is responsible for warning users of state-sponsored hacking attempts on their GMail or G Suite accounts. APT35, a group that Google says it disrupted in 2020 due to its attempts at election interference by phishing campaign staffer accounts, has apparently been so busy in 2021 that a general warning to all of its product users is merited.
One element of this state-sponsored hacking campaign is the use of a United Kingdom university that was compromised with a phishing kit (the School of Oriental and African Studies at the University of London). Google says that APT35 leveraged this phishing kit to harvest credentials from quite a number of email accounts, under the ruse of an invitation to attend a webinar hosted by the school that required university credentials to log into. Google notes that APT35 has been observed using this same technique for about five years, generally using it to compromise government agencies and private businesses that might have valuable information. The attacks are thorough, asking victims to enter secondary authentication codes in addition to their usernames and passwords.
APT35 has also attempted to get at least one poisoned app listed on the Google Play store. The group created a fake VPN app that would intercept call logs, text messages, contacts, and location data once installed. Google says that it detected the malicious app in May 2020 and has protected Android users from it, but that the state-sponsored hackers were attempting to get it listed on “other platforms” as recently as July of this year.
The state-sponsored hacking campaign also included having hackers pose as officials of international conferences that were actually happening at the time. The attackers falsely represented themselves as members of the Munich Security and the Think-20 (T20) Italy conferences to initiate conversation with potential attendees that was initially harmless. When the targets responded, the attackers would follow up with emails containing phishing links.
APT35 also used Telegram, one of the most popular alternatives to Facebook’s messaging apps due to its encryption and reputation for security, as a component. It was able to monitor visits to its phishing sites in real time via the messaging platform, with a bot making use of the Telegram API sendMessage function to provide updates to a public channel giving them insight into the IP addresses, useragents, and locales of targets that had clicked through a malicious link. Google says that it has notified Telegram of the bot and that it has since been removed.
While APT35 is the focus of this particular warning, it is far from the only state-sponsored hacking group that civilians may cross paths with. Google says that it tracks more than 270 of these groups originating from 50 countries. Google TAG analyst Ajax Bash says that the group has sent out 50,000 warnings to potential targets thus far in 2021, already a 33% increase from the count in 2020.
The government of Iran has denied any involvement in state-sponsored hacking. Mandiant’s FireEye tied the group to Iran in 2017 based on details of its attacks and indictments of several of its members.
APT35 keeps threat analysts busy in 2021
In the world of state-sponsored hacking, China and Russia are kings. The second tier, groups that are less sophisticated but very active and substantially dangerous, includes Iran’s threat actors. APT35 was initially considered unsophisticated when it was first identified, but has steadily grown in capability over the years. The group is best known for breaching HBO and leaking television episode scripts, and for targeting the email addresses of Donald Trump campaign staffers in 2020.
The group appears to be stepping up both the quality and amount of its attacks this year. Edward Roberts, VP of Marketing of Neosec, notes that the attempts have a focus on exploiting vulnerable APIs: “This attack follows the trend that attacks are typically a sequence of tactics employed by the hacker. Increasingly, with the ubiquitous adoption of APIs by organizations, it is no surprise that APIs are one of the tactics used in these sophisticated attacks. We expect APIs to increasingly become the focus for bad actors.”
Google provides direct warnings to users of its services that it believes are being targeted by state-sponsored hacking; a notification does not mean that an account has been breached, but more likely means that an attempt has been recognized and stopped by Google’s automated defenses. The company suggests that all users enable two-factor authentication as a strong added layer of security, and those that are expected targets of state-sponsored hacking should consider enrolling in the Advanced Protection Program (which limits some account features in exchange for improved security).