If the internet is a digital Wild West, it’s time to lock
your doors and close your windows. While the amount of cyber attackers and
activity alone is alarming, in this episode, the featured villain is a hacker
group backed by the Iranian government.
In a blog
post published Thursday, Google’s Threat Analysis Group, also known as
TAG, revealed that it had sent more than 50,000 warnings to users whose
accounts had been targeted by government-backed hacker groups carrying out
phishing and malware campaigns so far this year. Receiving a warning does
not necessarily mean your Google account has been hacked Google does manage to
stop some of the attacks but rather that the company has identified you as a
target.
Google stated that this amounted to a nearly 33%
increase when compared to the same time last year and attributed the activity
to a large campaign launched by the Russian-sponsored group Fancy Bear,
which U.S. and UK security agencies found had been on a worldwide
password guessing spree since at least mid-2019, according to a report published
in July. Russia’s not alone though. More than 50 countries have hacker
groups working “on any given day,” Google explained.
“We intentionally send these
warnings in batches to all users who may be at risk, rather than at the moment
we detect the threat itself, so that attackers cannot track our defense
strategies,” Google said. “On any given day, TAG is tracking more than 270
targeted or government-backed attacker groups from more than 50 countries. This
means that there is typically more than one threat actor behind the warnings.”
While that statistic alone is mind-boggling, the company also
put a spotlight on APT35, a cyber attacker backed by Iran that has
hijacked accounts, deployed malware, and spied on users using “novel
techniques” in recent years. In particular, Google highlighted four of the
“most notable” APT35 campaigns it’s disrupted in 2021. One of APT35’s regular activities is phishing for credentials
of so called high-value accounts, or those belonging to people in government,
academia, journalism, NGOs, foreign policy, and national security. The
group uses a technique in which it compromises a legitimate website and then
deploys a phishing kit.
In early 2021, Google said APT35 used this technique to
hijack a website affiliated with a UK university. The hackers then
wrote emails to users on Gmail, Hotmail, and Yahoo with an invitation link
to a fake webinar and even sent second-factor identification codes to
targets’ devices.
As you may be able to infer, legitimacy appears to be
important to APT35, so it’s no surprise that another one of its trademarks
is impersonating conference officials to carry out phishing attacks.After sending a non-malicious first contact email, APT35 sent
users who responded follow-up emails with phishing links. APT35 has also carried out its evil deeds via apps. In May
2020, it attempted to upload a fake VPN app to the Google Play Store that
was in fact spyware and could steal users’ call logs, text messages, contacts,
and location data. Google said it detected the app and removed it from the
Play Store before anyone installed it but added that APT35 had tried to
distribute this spyware on other platforms as recently as July.
The group even misused Telegram for its phishing attacks,
leveraging the messaging app’s API to create a bot that notified it when a user
loaded one of its phishing pages. This tactic allowed the group to obtain
device-based data in real-time of the users on the phishing site, such as IP, user
agent, and locales. Google said it had reported the bot to Telegram and that
the messaging app had taken steps to remove it. Hats off to Google for publishing this valuable information knowledge
is power, especially in cyber-security but dang is
it nerve-racking. Let’s be clear, nobody is entirely safe online, but
there are things you can do to reduce the possibilities of being hacked, such
as enacting two-factor authentication and using a security key.
0 Comments