This year, the Google Threat Analysis Group (TAG) has noticed an increase in government-sponsored hacking. According to the data revealed in the blog post, Google has sent over 50,000 warnings of phishing and malware attempts to account holders thus far in 2021. The number of people has increased by 33% from the same period last year.
APT35 operations dating back to 2014 have been found by FireEye. APT35, also known as the Newscaster Team, is an Iranian government-sponsored threat group that carries out long-term, resource-intensive operations to gather strategic intelligence. APT35 usually targets military, diplomatic, and government people in the United States and the Middle East, as well as organisations in the media, energy, and defense industrial base (DIB), as well as engineering, business services, and telecommunications.
Since 2017, APT35 has been targeting politicians, NGOs, government institutions, journalists, and academia under the names Ajax Security Team, Charming Kitten, and Phosphorus. During the 2020 elections, the group also attempted to target former US President Donald Trump's election campaign staff.
Charming Kitten made 2,700 attempts to gather information about targeted email accounts in a 30-day period between August and September 2019, according to Microsoft. There were 241 attacks and four compromised accounts as a result of this. Despite the fact that the initiative was allegedly directed at a presidential campaign in the United States, none of the stolen accounts had anything to do with the election. Microsoft did not say who was directly targeted, although Reuters later reported that it was Donald Trump's re-election campaign. The fact that only the Trump campaign utilized Microsoft Outlook as an email client backs up this claim.
"For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government," Google said.
Phishing attacks including malicious URLs are the most popular approach employed by APT35. APT35, for example, infiltrated a website affiliated with a UK university in early 2021. The group then set up a phishing kit on the website in order to collect user credentials and began sending out emails with a link to the site. The users were instructed to log in using the link provided in order to participate in a fictitious webinar.
APT35 also attempted to use the Google Play Store to distribute spyware disguised as a VPN client. If the app is installed on the phone, it can gather SMS and call records, as well as location data and contacts. The attempt was thwarted when Google removed the app from the Play Store.
