Google warns of surge in activity by state-backed hackers

More than 50,000 alerts sent so far this year, including of an Iranian group that targeted a UK university

Google has warned of a surge in activity by government-backed hackers this year, including attacks from an Iranian group whose targets included a UK university.

The search group said that so far in 2021 it had sent more than 50,000 warnings to account holders that they had been a target of government-backed phishing or malware attempts. This represents an increase of a third on the same period last year, Google said in a blogpost, with the rise attributed to an “unusually large campaign” by a Russian hacking group known as APT28, or Fancy Bear.

However, the Google post focused on a group linked to Iran’s Revolutionary Guards, known as APT35, or Charming Kitten, which regularly conducts phishing attacks – where, for instance, an email is used to trick someone into handing over sensitive information or to install malware.

“This is one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers,” wrote Ajax Bash, from Google’s threat analysis group. “For years this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government.”

In one attack in early 2021, APT35 attacked a website affiliated with a UK university using a tried and tested technique: directing users to a compromised webpage where they were encouraged to log in via their email service provider – Gmail, Hotmail or Yahoo for instance – in order to view a webinar. Users were also asked for second-factor authentication codes, which go straight to APT35.

Google did not name the UK university but in July it was reported that the School of Oriental and African Studies (Soas), University of London, had been targeted by APT35 in early 2021. The attack started with a fake email from a Soas academic inviting people to a webinar, starting a chain of interactions that led to a dummy page on the university’s radio website that tricked the phishing victims into handing over their email user names and passwords. Soas said in July the attack had not accessed personal information or data.

“Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these … peripheral systems,” Soas said.

Referring to the UK university attack, Bash said: “APT35 has relied on this technique since 2017 – targeting high-value accounts in government, academia, journalism, NGOs, foreign policy and national security. Credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – as they know it’s difficult for users to detect this kind of attack.”

The blogpost details other forms of attack by APT35. These include: attempting to upload spyware to the Google Play store, where Android phone users can buy apps; impersonating conference officials to conduct phishing attacks; and using a bot on the Telegram messaging service to notify when users have entered a phishing site, although Google said Telegram had since tackled that ruse.

Contributor

Dan Milmo Global technology editor

The GuardianTramp

Related Content

Article image
The Guardian view on internet security: complexity is vulnerable | Editorial
Editorial: A huge weakness in wifi security erodes online privacy. But the real challenge is designing with human shortcomings in mind

Editorial

19, Oct, 2017 @6:39 PM

Article image
Hostile states trying to steal coronavirus research, says UK agency
Experts say Russia, Iran and China likely to be behind cyber-attacks on universities

Jamie Grierson and Hannah Devlin

03, May, 2020 @3:12 PM

Article image
UK accuses Kremlin of ordering series of 'reckless' cyber-attacks
Foreign Office increases pressure on Russia after Skripal poisoning

Patrick Wintour Diplomatic editor

03, Oct, 2018 @11:01 PM

Article image
Hostile states pose 'fundamental threat' to Europe, says MI6 chief
Although Alex Younger does not name specific country, he makes clear that Russia is target of his remarks

Ewen MacAskill Defence and intelligence correspondent

08, Dec, 2016 @1:31 PM

Article image
UK ministers will no longer claim 'no successful examples' of Russian interference
Change of official line is first admission that Kremlin may have distorted UK elections

Dan Sabbagh

15, Mar, 2020 @12:00 PM

Article image
Boris Johnson to tell Russia to 'keep nose' out of European elections
British foreign secretary says Moscow must ‘show they can be trusted again’ amid fears it is meddling with democratic processes

Daniel Boffey in Brussels

06, Mar, 2017 @2:47 PM

Article image
Jeremy Hunt vows to step up fight against election cyber-attacks
Foreign secretary to call for global action but say there is no proof of interference in UK

Peter Walker Political correspondent

07, Mar, 2019 @12:01 AM

Article image
UK and allies accuse Chinese state-backed group of Microsoft hack
British foreign secretary says Beijing will be held to account if it does not stop ‘systematic cyber sabotage’

Dan Sabbagh, Jennifer Rankin and Peter Walker

19, Jul, 2021 @2:21 PM

Article image
Has North Korea found a friend in President Putin? | Natalie Nougayrède
Natalie Nougayrède: In the midst of the Sony hacking scandal, Kim Jong-un received an invite to Russia. It’s a sign that we’re in a new era of hybrid warfare and deniable attacks

Natalie Nougayrède

23, Dec, 2014 @5:09 PM

Article image
The Guardian view on cyberwars: enter the trolls | Editorial
Editorial: The great breach in the US government’s database is a classic case of informational smash and grab. But operations to plant misinformation are also worrying for states which care about truth

Editorial

05, Jun, 2015 @6:11 PM