Skip to main content

Google warns of continued attacks from Iranian hackers

Hacking group APT35 has 'hijacked accounts, deployed malware' in attacks 'aligned with the interests of the Iranian government', tech giant says
Last year, Google said the Iranian hacking group attempted to upload spyware to the Google Play Store (AFP/File photo)
By in
Washington

Google has warned that it has seen a surge in activity by government-backed hackers and issued particular concern at an Iranian group that attacked a British university earlier this year.

The tech giant said in a blog post that so far in 2021, it sent 50,000 warnings to account holders that they had been a target of government-backed phishing or malware attempts. The number is a 33 percent increase from last year.

It also highlighted APT35, also known as Phosphorus, Charming Kitten and Ajax Security team, a hacking group that has for years "hijacked accounts, deployed malware and used novel techniques to conduct espionage aligned with the interests of the Iranian government", Google's Threat Analysis Group said.

Iranian hackers 'posed as British academics' in cyber-espionage operation: Report
Read More »

"This is one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers."

In an attack in early 2021, APT35 attacked a UK university-affiliated website with a technique it had been practising for years. It emailed a link to a fake website where individuals were directed to click on an invitation to a webinar and log in using their email, which the hackers used in an attempt to harvest those email credentials.

The blog post did not reveal the identity of the university, however, a hacking operation from APT35 in July reportedly targeted London's School of Oriental and African Studies (SOAS).

SOAS said that no personal information was collected and its own data systems were not touched.

"Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these sort of peripheral systems," SOAS said in a statement.

"APT35 has relied on this technique since 2017 – targeting high-value accounts in government, academia, journalism, NGOs, foreign policy and national security," Google said.

"Credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – as they know it’s difficult for users to detect this kind of attack.”

Phishing and spyware

In addition to the university attack, Google noted a number of other operations conducted by APT35.

Last year, it said the Iranian hacking group attempted to upload spyware to the Google Play Store. APT35 tried to introduce an app disguised as VPN software that could have stolen sensitive information such as call logs, text messages and location data from devices, according to the blog.

Google said it detected it and removed it before any users had a chance to install it, however, APT35 attempted to install the spyware on other platforms, as recently as July 2021.

The hackers also posed as officials at the Munich Security and Think20 Italy conferences to trick victims into downloading malicious code and used a Telegram bot to notify when users entered a phishing website. Google, however, said it notified Telegram of the issue and it has since been removed.

Earlier this week, Microsoft said Iran-linked hackers targeted dozens of defence technology and maritime transportation firms - both American and Israeli - in an attack that "supports the national interests" of Tehran.

Thursday's blog post by Google comes just days after it announced the creation of a cybersecurity programme that would be aimed at preventing cyberattacks against governments and companies.

"Cybersecurity is at the top of every C-level and board agenda, given the increasing prominence of software supply chain exploits, ransomware, and other attacks," Thomas Kurian, CEO of Google Cloud, said in a statement.