Google’s Threat Analysis Group (TAG) is warning high-risk groups that there has been a surge in activity by government-backed hacking campaigns, up 33% so far this year over the same time period in 2020, according to a blog post.
TAG has sent more than 50,000 warnings to account holders targeted by government-backed phishing or malware attempts. The increase is due in part to a campaign by a Russian hacking group known as APT28, or Fancy Bear, as well as from Iran’s Revolutionary Guards, known as APT35, or Charming Kitten.
TAG tracks fraudsters involved in disinformation campaigns, government-backed hacking and financially motivated abuse, and sends people a warning if it’s discovered that their account was targeted.
“We intentionally send these warnings in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track our defense strategies,” Google TAG team member Ajax Bash said in the post.
On an average day, TAG tracks over 270 groups from more than 50 countries, usually with more than one hacker involved in a single warning. Thousands of warnings are sent to people each month.
The Iranian group APT35 goes after high-risk users on a regular basis using phishing campaigns. The group was disrupted by TAG during the 2020 U.S. election period, when it was targeting the accounts of campaign staffers.
“For years, this group has hijacked accounts, deployed malware and used novel techniques to conduct espionage aligned with the interests of the Iranian government,” Bash said.
If someone receives a warning, it doesn’t mean their account was attacked. Instead, it’s meant to serve as a warning that the user was identified as a target. Warnings are sent even if TAG intercepted the attack.
Other attacks this year by APT35 include spyware being uploaded to the Google Play store; officials being impersonated for phishing attacks, Telegram bots sending phishing links in public forums, and hijacking a university website in the U.K. with a phishing kit.