IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Iranian hacking group continues to target US citizens

APT35 used phishing attacks and uploaded spyware onto Google Play Store

An Iranian hacking group has been targeting US citizens and organizations since 2017 and doesn’t seem to be letting up, according to a new Google report.

Google's Threat Analysis Group said a state-backed Iranian group known as APT35 targeted high-value individuals in the US and elsewhere. The hackers, also known as Charming Kitten, Phosphorus, Ajax Security, and NewsBeef, have attacked high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security since 2017. 

APT35 is also one of the groups that tried to disrupt the 2020 US election cycle by targeting campaign staffers. 

The group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government, according to Google TAG team member Ajax Bash.

Earlier this year, the hackers compromised a website affiliated with a UK university to host a phishing kit.

“Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices,” said Bash.

Bash added that credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – “as they know it's difficult for users to detect this kind of attack”.

In May 2020, the team discovered that APT35 attempted to upload spyware to the Google Play Store. The app disguised itself as VPN software, but it could steal sensitive information such as call logs, text messages, contacts, and location data from devices if installed.

“Google detected the app quickly and removed it from the Play Store before any users had a chance to install it. Although Play Store users were protected, we are highlighting the app here as TAG has seen APT35 attempt to distribute this spyware on other platforms as recently as July 2021,” said Bash.

Among the most notable attacks by the Iranian hackers was the impersonation of conference officials to conduct phishing attacks. “Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence,” said Bash.

Related Resource

HP Wolf Security: Threat insights report

Equipping security teams with the knowledge to combat emerging threats

Skyscrapers from belowFree download

The hackers also used Telegram for operator notifications. The attackers embed JavaScript into phishing pages that notify them when the page has been loaded. They use the Telegram API sendMessage function to send the notification, which lets anyone use a Telegram bot to send a message to a public channel.

“The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram, and they have taken action to remove it,” said Bash.

This year, Google has warned over 50,000 account holders they may have been targeted by state-backed attempts to hack them using phishing or malware, a nearly 33% increase from this time in 2020. 

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Google Earth Engine open for business on Google Cloud, in corporate sustainability push
Cloud

Google Earth Engine open for business on Google Cloud, in corporate sustainability push

28 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Apple executive rejoins Google over remote work policy
flexible working

Apple executive rejoins Google over remote work policy

18 May 2022
Here’s the first look at Google’s new Bay View campus
Business operations

Here’s the first look at Google’s new Bay View campus

17 May 2022

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
Attracting and retaining talent through training
Sponsored

Attracting and retaining talent through training

13 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022