Iranian Hackers Continue Waging Attacks, Google Warns

APT 35, Newscaster Team and hacking concept / FireEye. An Iranian hacking group that targeted a U.S. presidential campaign in last year’s el...

APT 35, Newscaster Team and hacking concept / FireEye.

An Iranian hacking group that targeted a U.S. presidential campaign in last year’s election has continued to wage widespread attacks, using an evolving list of tactics to dupe victims into clicking on malicious links. 

Known variously as APT35, Phosphorous, Charming Kitten and Ajax Security team, the hacking group has for years “hijacked accounts, deployed malware and used novel techniques to conduct espionage aligned with the interests of the Iranian government,” according to a blog posted Thursday by Google’s Threat Analysis Group.

FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.

APT35 has targeted “high-value” accounts in government, journalism, academia, nonprofits, foreign policy and national security, which play a role in how the international community view Iran, according to Google.  “Iran is very affected by how the international community sees it and puts pressure on it,” Shane Huntley, director of the Threat Analysis Group. Iranian activists and civil servants have also been targeted by the hacking group, he said.  Officials with Iran’s Foreign Ministry didn’t respond to requests for comment.  

Reference board chart / FireEye.

One technique the group has used since 2017 is to use a compromised website to convince victims to click on phishing links. In early 2021, for instance, APT35 sent email messages with links to a fake website where users were instructed to activate an invitation to a webinar by logging in -- an attempt to harvest credentials for platforms such as Gmail and Yahoo!, according to Google. 

Officials at SOAS University of London didn’t respond to requests for comment. In a statement in July, the university said the hackers “created gmail accounts to pretend to be academics and created a dummy site to seek to collect data from people they were targeting.” The fake site wasn’t placed on the university’s website but rather on that of SOAS Radio, an independent radio station and production company based at the university. “There was no suggestion of breach of cybersecurity by any SOAS staff.”

APT35 also attempted last year to upload spyware to the Google Play Store, an app disguised as VPN software that could have stolen sensitive information such as call logs, text messages and location data from devices, according to the blog. Google detected it and removed it before any users had a chance to install it. APT35 has attempted to install the spyware on other platforms as recently as July 2021, according to the blog.

The hackers also posed as conference officials to trick victims into downloading malicious code. They used the Munich Security and Think-20 Italy conferences as lures, first sending a harmless email to get users to respond and then following up with phishing links in follow-on correspondence, according to Google. While high volumes of attacks have continued, the success rate of APT35 has declined as Google learns more about the campaign, Huntley said.

In June 2020, Google said its Threat Analysis Group had detected phishing attacks from APT35 targeting the campaign staff of then President Donald Trump.