Google has warned of a surge in activity by government-backed hackers this year, including attacks from an Iranian group whose targets included a UK university.
The search group said that so far in 2021 it had sent more than 50,000 warnings to account holders that they had been a target of government-backed phishing or malware attempts. This represents an increase of a third on the same period last year, Google said in a blogpost, with the rise attributed to an “unusually large campaign” by a Russian hacking group known as APT28, or Fancy Bear.
However, the Google post focused on a group linked to Iran’s Revolutionary Guards, known as APT35, or Charming Kitten, which regularly conducts phishing attacks – where, for instance, an email is used to trick someone into handing over sensitive information or to install malware.
“This is the one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers,” wrote Ajax Bash, from Google’s threat analysis group. “For years this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government.”
In one attack in early 2021, APT35 attacked a website affiliated with a UK university using a tried and tested technique: directing users to a compromised webpage where they were encouraged to log in via their email service provider – Gmail, Hotmail or Yahoo for instance – in order to view a webinar. Users were also asked for second-factor authentication codes, which go straight to APT35.
Google did not name the UK university but in July it was reported that the School of Oriental and African Studies (Soas), University of London, had been targeted by APT35 in early 2021. The attack started with a fake email from a Soas academic inviting people to a webinar, starting a chain of interactions that led to a dummy page on the university’s radio website that tricked the phishing victims into handing over their email user names and passwords. Soas said in July the attack had not accessed personal information or data.
“Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these … peripheral systems,” Soas said.
Referring to the UK university attack, Bash said: “APT35 has relied on this technique since 2017 – targeting high-value accounts in government, academia, journalism, NGOs, foreign policy and national security. Credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – as they know it’s difficult for users to detect this kind of attack.”
The blogpost details other forms of attack by APT35. These include: attempting to upload spyware to the Google Play store, where Android phone users can buy apps; impersonating conference officials to conduct phishing attacks; and using a bot on the Telegram messaging service to notify when users have entered a phishing site, although Google said Telegram had since tackled that ruse.