Google has warned of a surge in activity by government-backed hackers this year, including attacks against an Israeli group who included a UK University.
The Search Group said that it has sent more than 50,000 warnings to account holders that they had been a target of government-backed phishing or malware attempts since 2021. This represents an increase of a third on the same period last year, Google said in a blogpost, with the rise attributed to an unusually large campaign by a Russian hacking group called APT 28, or Fancy Bear.
The Google posting focused however on a group connected to Iran s Revolutionary Guards, known as APT 35, or Charming Kitten, which regularly conducts phishing attacks where, for example, an email is used to trick someone into handing over sensitive information or installing malware
This is the one of the groups that our organization disrupted during the 2020 campaign cycle for its targeting of campaign staffers, wrote Ajax Bash from Google s threat analysis group. For years this group has hijacked accounts, deployed malware and used novel techniques to conduct espionage aligned with the interests of the Iranian government. Users were also asked for second-factor authentication codes, which go straight to APT 35.
Google did not name the UK university, but in July it was reported that the School of Oriental and African Studies Soas University of London was targeted by APT 35 in early 2021. The attack started with a fake email from a Soas academic inviting people to a webinar, beginning a chain of interactions that led to a fake page on the university radio website that tricked the phishing victims into changing their password and/or phone numbers. Soas said in July the attack had not accessed personal information or data.
Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. This took place and we have reviewed how this took place and taken steps to further improve protection of these peripheral systems, Soas said.
Referring to the UK university attack, Bash he said: APT 35 has relied on this technique since 2017 targeting high-value accounts in government, academia, journalism, NGOs, foreign policy and national security. Credential phishing through a compromised website proves these attackers will go to great lengths to appear legitimate as they know this kind of attack is difficult for users to detect. The blogpost details other forms of attack by APT 35. These include: attempting to download spyware from the Google Play Store, where Android phone users can buy apps; impersonating conference officials to conduct phishing attacks; and using a Bot on the Telegram messaging service to tell when users have entered a phishing site, although Google has since come to realize that Microsoft addressed that ruse