Iran’s Revolutionary Guard has key role in state-backed hack surge, Google warns
Tech giant says Tehran group targeted campaign staffers in US 2020 election; used phishing attacks as well as trying to upload a malware app to Play Store
Google warned on Friday of a surge in state-backed hackers, with a report focusing on the “notable campaigns” of a group linked to Iran’s Revolutionary Guard Corps.
The search engine giant was the second tech firm in less than a week to issue a warning about Iranian hackers, with the report coming days after Microsoft said a group targeted Israeli and American defense technology, and also warned that Iran had increased its hacks on Israel fourfold in the past year.
Google said in a blogpost on Friday that an Iranian hacking group known as APT35, or “Charming Kitten,” was carrying out malware and phishing attacks in which the target was tricked into installing software or giving out personal information.
Iran’s Revolutionary Guard Corps was created after the 1979 Islamic Revolution and has an extensive intelligence apparatus as well as forces.
“This is the one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers,” wrote Ajax Bash, a member of the threat analysis team at Google. “For years this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government.”
The post warned that APT35 was targeting accounts in government, academia, journalism, NGOs, foreign policy and national security, and had been active since 2017.
The company said that APT35 used the compromised website of an unnamed British university to carry out a phishing attack by asking for individuals to confirm their credentials and security information.
Additionally, the hackers used conference-themed phishing emails to try to get users to click on compromised links.
“Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence,” the search engine giant said.
Google said the hackers have also started to utilize the Telegram API sendMessage function of the encrypted app to gather details of unwitting visitors to their phishing sites.
In a separate instance, Google said that APT35 tried to upload a malware app to the Google Play store.
The tech giant said “the app was disguised as VPN software that, if installed, could steal sensitive information such as call logs, text messages, contacts, and location data from devices.”
The firm said the app was discovered and removed from the Play Store before it was downloaded and installed by any users.
Google said that in 2021 so far it had warned over 50,000 account-holders that they may have been targeted by state-backed attempts to hack them using phishing or malware.
“We intentionally send these warnings in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track our defense strategies,” Google explained.
In total, Google said the number of attempted hacks in 2021 had increased by a third compared to the same period, with the increase attributed to an “unusually large campaign” by the Russian group APT28, also known as “Fancy Bear.”
On Monday, Microsoft said that it had identified a group of Iranian hackers targeting Israeli and American defense technology companies using the tech giant’s products, as well as firms running maritime shipping in the Middle East.
The statement came as Israel and Iran have accused each other of attacks on ships in the Middle East, and amid reports of growing efforts by Tehran to avenge the death of its top nuclear scientist Mohsen Fakhrizadeh, killed last year.
In a blog post, Microsoft said it had first identified the hacker cell — nicknamed DEV-0343 — in July.
The company said the hackers carried out “extensive password spraying against more than 250 Office 365 tenants, with a focus on American and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.”
Among the targets have been “defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems.”
“This activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran,” the statement said.
Microsoft said the hacking efforts could help Iran track “adversary security services and maritime shipping in the Middle East.”
Microsoft said on Sunday that Iran had increased its hacks on Israel fourfold in the past year.
“Microsoft detected an increased focus from a growing number of Iranian groups targeting Israeli entities… and with that focus came a string of ransomware attacks,” the company’s annual Digital Defense Report said.
Israel and Iran have been engaged in a years-long shadow war, with Israel allegedly directing most of its efforts — including multiple suspected cyberattacks — at sabotaging the Islamic Republic’s nuclear program.
Agencies contributed to this report.