The Surge Of State-Back Hacks Are Related To Iran’s Revolutionary Guard, Said Google And Microsoft


Espionage and stealing sensitive information, to creating damage and crippling infrastructures and government agencies don't require physical presence or face-to-face confrontation.

Using the internet as the medium, experienced hackers that are backed with enough resources can cause more damage to targets in a small timeframe, than what many field personnel can ever do.

And this time, Google said that Iran's Revolutionary Guard has an influential role in state-back hacking surge.

According to Google in a blog post, an Iranian hacking group known as APT35, or “Charming Kitten,” was found carrying out malware and phishing attacks in which targets were tricked into installing software to give out sensitive information.

Google warned that APT35 was targeting accounts in government, academia, journalism, NGOs, foreign policy and national security, and that it has done that since 2017.


According to Ajax Bash, a member of Google's Threat Analysis Group:

"This is the one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers. For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government."

"One of the most notable characteristics of APT35 is their impersonation of conference officials to conduct phishing attacks. Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence."

Google also said that the state-backed hackers are also using Telegram API's sendMessage to gather details of unwitting visitors to their phishing sites.

Google also said that APT35 has tried to upload a malware app to the Google Play store, saying that "the app was disguised as VPN software that, if installed, could steal sensitive information such as call logs, text messages, contacts, and location data from devices."

The company added that the app was discovered and removed from the Play Store before it was downloaded and installed by any Android users.

“We intentionally send these warnings in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track our defense strategies,” Google explained.

In total, Google said the number of attempted hacks in 2021 had increased dramatically, with the increase attributed to an “unusually large campaign” by the Russian group APT28, or also known as “Fancy Bear.”

Google said that in 2021 so far, it had warned more than 50,000 account-holders, telling them that they may have been targeted by state-backed hacks through phishing attacks or malware.

Before Google's report, Microsoft also said that an Iranian hacking group managed to target Israeli and American defense technology.

On its own blog post, company warned that Iran has increased its hacks on Israel fourfold in 2021, if compared to 2020.

Microsoft identified a group of Iranian hackers have been using Microsoft's products to target defense technology companies, that include "defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems."

The hackers do this using "extensive password spraying against more than 250 Office 365 tenants."

The hackers also target "Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East," because the efforts could help Iran track “adversary security services and maritime shipping in the Middle East.”

"This activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran," the statement said.

Mohsen Fakhrizadeh
Mohsen Fakhrizadeh, Iran's nuclear scientist (right, and the a black Nissan Teana he was in when he was assassinated (left)

The statement from Microsoft came as Israel and Iran have accused each other of attacks on ships in the Middle East, and amid reports of growing efforts by Iran's capital Tehran to avenge the death of its top nuclear physicist and scientist Mohsen Fakhrizadeh, who was killed in 2020.

Fakhrizadeh was regarded as the chief of Iran's nuclear program.

Due to his connection to Iran's nuclear weapons program, Iran has accused the Israeli government with the knowledge and support of the U.S. government, for assassinating Fakhrizadeh in a road ambush in the city of Absard on 27 November 2020.

At that time, Fakhrizadeh was travelling with his wife, with a convoy of three armored vehicles, and eleven bodyguards.

Fakhrizadeh died from inflicted gunshot wounds.

Iran’s Revolutionary Guard Corps was founded after the 1979 Islamic Revolution, by order of Ayatollah Ruhollah Khomeini.

As a branch of the Iranian Armed Forces, it has an extensive intelligence apparatus as well as forces.

Whereas the Iranian Army defends Iranian borders and maintains internal order, the Revolutionary Guard is to protect the country's Islamic republic political system. And this includes protecting the Islamic system in the country, as well as preventing foreign interference and coups by the military or "deviant movements".

At this time, Iran's Islamic Revolutionary Guard Corps is designated as a terrorist organization by the governments of Bahrain, Saudi Arabia and the United States.