Google cyber-threat arm exposes Tehran鈥檚 online espionage

Shutterstock illustration image
Short Url
  • An Iranian-government aligned group has tried to steal personal information and passwords of notable individuals across Europe and the US through 2021
  • Iran set to continue on the same cyber-espionage path despite the exposure of their tactics, expert tells Arab News

Tech giant Google has exposed how Iranian-backed groups attempt to use its platforms to carry out espionage on behalf of the government in Tehran.

In a blog post released on Thursday, Google鈥檚 Threat Analysis Group exposed the work of APT35, a shady hacking group that Google said is linked to the Iranian government.

Ajax Bash, of TAG, said: 鈥淭his is the one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers. For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government.鈥�

APT35 鈥渞egularly conducts phishing campaigns targeting high risk users,鈥� Bash said.

In one instance, he said, Iranian hackers targeted lecturers from a British university 鈥� the School of Oriental and African Studies (SOAS) in London 鈥� and impersonated them in an attempt to trick others in the academic community into divulging their personal information and passwords. This form of cyber espionage is called credential phishing.

鈥淎PT35 has relied on this technique since 2017 鈥� targeting high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security,鈥� said Bash.

鈥淐redential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate 鈥� as they know it鈥檚 difficult for users to detect this kind of attack.

鈥淥ne of the most notable characteristics of APT35 is their impersonation of conference officials to conduct phishing attacks,鈥� said Bash. He explained that Iranian-backed operatives impersonated officials from the Munich Security Conference and an Italian think-tank to steal passwords and information.

Amin Sabeti, the founder of Digital Impact Lab and an Iran-focused cyber security professional, told Arab News that Google鈥檚 blog exposes how Iran continues to build on its national cyber security strategy.

鈥淭his report shows again that Iranian state-backed hackers are very good in social engineering and they have improved their technique,鈥� he said.

鈥淔or example, using a legitimate website to convince the target to enter the credential details of their online account is something new that we didn鈥檛 see a few years ago.鈥�

Sabeti also said that, despite Google unmasking Iran鈥檚 cyber-espionage activity, it is unlikely that they will change their strategy entirely.

鈥淚 think we will see the same techniques but with new ideas.鈥�

Google鈥檚 Bash said: 鈥淲e warn users when we suspect a government-backed threat like APT35 is targeting them. Thousands of these warnings are sent every month, even in cases where the corresponding attack is blocked.  

鈥淭hreat Analysis Group will continue to identify bad actors and share relevant information with others in the industry, with the goal of bringing awareness to these issues, protecting you and fighting bad actors to prevent future attacks.鈥�