Government-backed Hackings

25th October 2021, Kathmandu

Google has stated that it has sent over 50,000 warnings to those whose accounts have been the target of government-backed phishing or malware attempts so far in 2021, representing a nearly 33% increase from this time last year.

The company stated that it sends these warnings in batches to all users at risk rather than immediately when the threat is detected so that attackers cannot track defense strategies.

According to a blog post, Google’s Threat Analysis Group (TAG) is warning high-risk groups that there has been a surge in activity by government-backed hacking campaigns, up 33 percent so far this year in contrast to the same period in 2020.

TAG has issued over 50,000 warnings to account holders who have been targeted by government-sponsored phishing or malware attacks. The rise is partly due to a campaign by the Russian hacking group APT28, or Fancy Bear, and the Revolutionary Guards of Iran, known as APT35 or Charming Kitten.

TAG monitors fraudsters involved in disinformation campaigns, government-sponsored hacking, and financially motivated abuse and notifies users if their account has been targeted. “TAG monitors over 270 targeted or government-backed attacker groups from over 50 countries on any given day. This means that the warnings are usually the result of more than one threat.” In a blog post, the company stated.

According to the blog post, some of the most notable campaigns disrupted by the company this year came from a different government-backed attacker – APT35 – an Iranian group that regularly conducts phishing campaigns targeting high-risk users.

“For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct spying aligned with the Iranian government’s interests,” Bash said.

If a user receives a warning, this does not imply that their account has been compromised. It is instead intended to serve as a warning that the user has been identified as a target. Even if TAG intercepts the attack, warnings are sent.

Google discovered APT35 attempting to upload spyware to the Google Play Store in May of last year.

.The app was disguised as VPN software. If installed, it could steal sensitive information from devices such as call logs, text messages, contacts, and location data, impersonate officials for phishing attacks, Telegram bots sending phishing links in public channels. Google quickly identified the app and removed it from the Play Store before any users could install it.

APT35 compromised a website affiliated with a UK university in early 2021 to host a phishing kit. Attackers sent email messages containing links to this website to collect credentials for platforms such as Gmail, Hotmail, and Yahoo.

APT35 members pretended to be representatives from the Munich Security and Think-20 Italy conferences, both real events. Following a non-malicious initial contact email, APT35 sent users who responded with follow-up emails containing phishing links.

By logging in, users were instructed to activate an invitation to a (fake) webinar. The phishing kit will also request second-factor authentication codes, which will be sent to devices.

Since 2017, APT35 has used this technique to target high-value accounts in government, academia, journalism, non-governmental organizations (NGOs), foreign policy, and national security.

Credential phishing via a compromised website demonstrates that attackers will go to great lengths to appear legitimate, knowing that users will find it difficult to detect this type of attack. The group even ill-used Telegram for its phishing attacks, using the messaging app’s API to build a bot that alerted it when a user visited one of its phishing pages.

This tactic allowed the group to obtain device-based data from users on the phishing site in real-time, such as IP addresses, user agents, and locales. Google stated that it had reported the bot to Telegram, which had taken steps to remove it.

Kudos to Google for making this valuable information available—knowledge is power, especially in cybersecurity—but it’s nerve-racking. To be clear, no one is completely safe online, but there are steps you can take to reduce your chances of being hacked, such as implementing two-factor authentication and using a security key.


Please enter your comment!
Please enter your name here