The internet is more like a digital war and it might be the time to hide. While the total number of cyber-attacks and activity is troubling, the primary enemy in this scenario is a hacking organization supported by the Iranian government.
Google’s Threat Analysis Group, commonly known as TAG, said in a blog post published recently that it has given over 50,000 warnings to users whose accounts had been targeted by government-based hacking organizations carrying out phishing and malware attacks this year. Receiving a warning does not certainly mean that the Google account has been hacked, but simply that the company has recognized the user as a target.
According to Google, this was a nearly 33 percent increase when compared to the same time last year, and the activity was connected to large operations launched by the Russian group called Fancy Bear. U.S. and UK security agencies found that the hackers have been password hacking since 2019.
However, it’s not only Russia. Google revealed that hacking organizations are active in more than 50 nations every day. To stop attackers from tracking the defensive tactics. These transmit alerts to all users who may be in danger, rather than immediately after discovering the threat. TAG monitors over 270 targeted or government-based attacker groups from over 50 countries. This means that the alerts are normally the result of more than one threat actor.
The business also highlighted APT35, an Iranian-based cyber attacker that has stolen accounts, distributed malware, and spied on people in recent years using innovative tactics. Google clearly recognized four of the most famous APT35 operations it intruded in back in 2021.
Phishing for credentials of which are high-value accounts, or those belonging to persons in government, academia, journalism, NGOs, foreign policy, and national security, is one of APT35’s normal operations. The organization uses a method in which it hacks a real website before using phishing tools.
Google reported in early 2021 that APT35 tried this way to hack a website associated with a UK institution. The hackers then sent emails to Gmail, Hotmail, and Yahoo users with an invitation link to a fake online event and even forwarded second-factor identification tokens to the targets’ devices. As expected, APT35 values credibility, therefore it’s no surprise that one of its trademarks is imitating conference authorities to carry out phishing attacks.
This year, APT35 members acted to be members from the Munich Security and Think-20 Italy conferences, both of which are valid events. With a first non-malicious email, APT35 emailed users who responded with follow-up emails with phishing Websites.
APT35 has also used applications to carry out its malicious activities. It also tried to launch a fake VPN application in the Google Play Store back in May 2020, which was malware that can steal users’ phone logs, text messages, contacts, and location data. Google said that it identified the software and deleted it from the Play Store before anybody installed it, but it also stated that APT35 had tried to spread this malware on other platforms back in July.
The group even used Telegram for its phishing attacks, using the messaging app’s API to create a bot that informed it when a user visited one of its phishing pages.