Tech giant Google has exposed how Iranian-backed groups attempt to use its platforms to carry out espionage on behalf of the government in Tehran.
In a blog post released on Thursday, Google’s Threat Analysis Group exposed the work of APT35, a shady hacking group that Google said is linked to the Iranian government.
Ajax Bash, of TAG, said: “This is the one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers. For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government.”
APT35 “regularly conducts phishing campaigns targeting high risk users,” Bash said.
In one instance, he said, Iranian hackers targeted lecturers from a British university — the School of Oriental and African Studies (SOAS) in London — and impersonated them in an attempt to trick others in the academic community into divulging their personal information and passwords. This form of cyber espionage is called credential phishing.
“APT35 has relied on this technique since 2017 — targeting high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security,” said Bash.
“Credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate — as they know it’s difficult for users to detect this kind of attack.
“One of the most notable characteristics of APT35 is their impersonation of conference officials to conduct phishing attacks,” said Bash. He explained that Iranian-backed operatives impersonated officials from the Munich Security Conference and an Italian think-tank to steal passwords and information.
Amin Sabeti, the founder of Digital Impact Lab and an Iran-focused cyber security professional, told Arab News that Google’s blog exposes how Iran continues to build on its national cyber security strategy.
“This report shows again that Iranian state-backed hackers are very good in social engineering and they have improved their technique,” he said.
“For example, using a legitimate website to convince the target to enter the credential details of their online account is something new that we didn’t see a few years ago.”
Sabeti also said that, despite Google unmasking Iran’s cyber-espionage activity, it is unlikely that they will change their strategy entirely.
“I think we will see the same techniques but with new ideas.”
Google’s Bash said: “We warn users when we suspect a government-backed threat like APT35 is targeting them. Thousands of these warnings are sent every month, even in cases where the corresponding attack is blocked.
“Threat Analysis Group will continue to identify bad actors and share relevant information with others in the industry, with the goal of bringing awareness to these issues, protecting you and fighting bad actors to prevent future attacks.”