Google warns of surge in activity by state-backed hackers

More than 50,000 alerts sent so far this year, including of an Iranian group that targeted a UK university

Google has warned of a surge in activity by government-backed hackers this year, including attacks from an Iranian group whose targets included a UK university.

The search group said that so far in 2021 it had sent more than 50,000 warnings to account holders that they had been a target of government-backed phishing or malware attempts. This represents an increase of a third on the same period last year, Google said in a blogpost, with the rise attributed to an “unusually large campaign” by a Russian hacking group known as APT28, or Fancy Bear.

However, the Google post focused on a group linked to Iran’s Revolutionary Guards, known as APT35, or Charming Kitten, which regularly conducts phishing attacks – where, for instance, an email is used to trick someone into handing over sensitive information or to install malware.

“This is one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers,” wrote Ajax Bash, from Google’s threat analysis group. “For years this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government.”

In one attack in early 2021, APT35 attacked a website affiliated with a UK university using a tried and tested technique: directing users to a compromised webpage where they were encouraged to log in via their email service provider – Gmail, Hotmail or Yahoo for instance – in order to view a webinar. Users were also asked for second-factor authentication codes, which go straight to APT35.

Google did not name the UK university but in July it was reported that the School of Oriental and African Studies (Soas), University of London, had been targeted by APT35 in early 2021. The attack started with a fake email from a Soas academic inviting people to a webinar, starting a chain of interactions that led to a dummy page on the university’s radio website that tricked the phishing victims into handing over their email user names and passwords. Soas said in July the attack had not accessed personal information or data.

“Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these … peripheral systems,” Soas said.

Referring to the UK university attack, Bash said: “APT35 has relied on this technique since 2017 – targeting high-value accounts in government, academia, journalism, NGOs, foreign policy and national security. Credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – as they know it’s difficult for users to detect this kind of attack.”

The blogpost details other forms of attack by APT35. These include: attempting to upload spyware to the Google Play store, where Android phone users can buy apps; impersonating conference officials to conduct phishing attacks; and using a bot on the Telegram messaging service to notify when users have entered a phishing site, although Google said Telegram had since tackled that ruse.


Dan Milmo Global technology editor

The GuardianTramp

Related Content

Article image
The Guardian view on internet security: complexity is vulnerable | Editorial
Editorial: A huge weakness in wifi security erodes online privacy. But the real challenge is designing with human shortcomings in mind


19, Oct, 2017 @6:39 PM

Article image
GCHQ warns of fresh threat from Chinese state-sponsored hackers
National Cyber Security Centre urges operators of critical national infrastructure to prevent hacks

Dan Milmo Global technology editor

25, May, 2023 @3:34 PM

Article image
Russian hackers want to ‘disrupt or destroy’ UK infrastructure, minister warns
Cabinet Office secretary, Oliver Dowden, to issue national alert and urge companies to boost cybersecurity

Dan Sabbagh Defence and security editor

18, Apr, 2023 @11:01 PM

Article image
Hostile states trying to steal coronavirus research, says UK agency
Experts say Russia, Iran and China likely to be behind cyber-attacks on universities

Jamie Grierson and Hannah Devlin

03, May, 2020 @3:12 PM

Article image
UK accuses Kremlin of ordering series of 'reckless' cyber-attacks
Foreign Office increases pressure on Russia after Skripal poisoning

Patrick Wintour Diplomatic editor

03, Oct, 2018 @11:01 PM

Article image
Cyberwarfare leaks show Russian army is adopting mindset of secret police
Documents leaked from Vulkan cybersecurity firm also raise questions about role of IT engineers behind information-control project

Andrei Soldatov

30, Mar, 2023 @3:00 PM

Article image
Boris Johnson to tell Russia to 'keep nose' out of European elections
British foreign secretary says Moscow must ‘show they can be trusted again’ amid fears it is meddling with democratic processes

Daniel Boffey in Brussels

06, Mar, 2017 @2:47 PM

Article image
‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics
Vulkan engineers have worked for Russian military and intelligence agencies to support hacking operations, prepare for attacks on infrastructure and spread disinformation

Luke Harding, Stiliyana Simeonova, Manisha Ganguly and Dan Sabbagh

30, Mar, 2023 @3:00 PM

Article image
UK ministers will no longer claim 'no successful examples' of Russian interference
Change of official line is first admission that Kremlin may have distorted UK elections

Dan Sabbagh

15, Mar, 2020 @12:00 PM

Article image
Russian hackers targeting opponents of Ukraine invasion, warns GCHQ chief
Russian operatives trying to escalate online conflict and seeking targets in countries opposing war, says Jeremy Fleming

Dan Sabbagh Defence and security editor

10, May, 2022 @8:58 AM