When the Iranian the hacker group APT35 wants to know if one of its digital lures has been bitten, all it has to do is check Telegram. When someone visits one of the copy sites they have created, a message appears on a public channel on the messaging service, describing the potential victim’s IP address, location, device, browser, and more. It is not a push message; it’s a phish message.
Google’s threat analysis team outlined the new technology as part of a broader look at APT35, also known as Charming Kitten, a state-sponsored group that has spent the past many years getting high-value targets to click the wrong link and cough up their credentials. And while APT35 is not the most successful or sophisticated threat on the international stage – it is, after all, the same group that accidentally leaked hours of videos of themselves hacking – their use of Telegram stands out as an innovative wrinkle who can pay dividends.
The group uses a variety of approaches to initially get people to visit their phishing sites. Google outlined a few scenarios it’s been observing recently: the compromise of a UK university website, a fake VPN app that briefly sneaked into the Google Play Store, and phishing emails where hackers pretend to be real organizers conferences, and attempts to capture their brands through malicious PDF files, Dropbox links, websites, and more.
In the case of the university’s website, hackers direct potential victims to the compromised page, which encourages them to log in with the chosen service provider – everything from Gmail to Facebook to AOL is offered – to watch a webinar. If you enter your credentials, they go directly to APT35, which also asks for your two-factor authentication code. It is a technique so old that it has whiskers on it; APT35 has been running it since 2017 to target people in government, academia, national security and more.
The fake VPN is also not very innovative, and Google says that it started the app from its store before anyone had time to download it. However, if someone had dropped the key – or installed it on another platform where it is still available – the spyware could steal call logs, texts, location data and contacts.
Honestly, the APT35 is not exactly overperforming. Although the convincingly imitated officials of the Munich Security Conference and Think-20 Italy in recent years, it is also straight out of phishing 101. “This is a very productive group that has a broad objective, but the broad objective is not representative of it level of success the actor has, ”says Ajax Bash, security engineer at Google TAG. “Their success rate is actually very low.”