Close this search box.

Cyber threat actors being tracked by Google revealed for 2021


Google has released the number of nation-state backed cyber threat actors it is currently tracking, and it isn’t pretty. It tracks some 270+ groups across some 50 nation states.

The Google Threat Analysis Group revealed last week the number of stated backed cyber threat actors it actively monitors.

The company revealed that its researchers are currently tracking more than 270 government-backed threat actors from 50 countries.

The figure includes groups engaged in both cyber-espionage operations, but also disinformation campaigns, Google said in the report.

On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings.

While that statistic alone is mind-boggling, the company also put a spotlight on APT35, an Iran-backed cyber threat actor. This group has hijacked accounts, deployed malware, and spied on users using “novel techniques” in recent years. More on that group below.

Google reveals phishing trends for 2021 – and what it does about them

When attacks performed by these groups include phishing emails, Google said it sends email alerts to the targeted Gmail users.

So far in 2021, Google has sent over 50,000 warnings to email addresses that have been the subject of a phishing attack.

Google also stated that this amounted to a nearly 33% increase when compared to the same time last year. This increase is attributable to a large campaign launched by the Russian-sponsored group Fancy Bear outfit. U.S. and UK agencies found that Fancy Bear had been on a worldwide password guessing spree since mid-2019.

Cyber threat actor group “APT35” gains notoriety

While analysts often note APT28 as the group to watch, Google said that another group was just as important: APT35.

Also known as “Charming Kitten”, APT 35, Newscaster, Ajax Security Team, Phosphorus, and Group 83, the group operates under the protection of the Iranian government.

“For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government,” a Google analyst said.

Past attacks included several phishing emails modelled around the Munich Security and the Think-20 (T20) Italy political conferences and the use of a spyware-infested VPN app uploaded on the Google Play Store.

The APT 35 Group operates under the protection of the Iranian government.
The APT 35 Group is understood to operate under the protection of the Iranian government

In 2021, the group hacked the website of the School of Oriental and African Studies (SOAS) at the University of London, and used it to host a phishing kit.

The group then went on to send email messages with links to the hacked site to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo.

APTs: The advanced sort of cyber threat actors

“APT” stands for “Advanced Persistent Threat”.

By definition, APT groups are advanced cyber actors using sophisticated techniques to target victims. 

Cyber threat actors conduct espionage operations to steal sensitive data, such as intellectual property or military intelligence, which can lead to significant competitive advantages in the geopolitical and economic spheres. In many cases, nation-states sponsor these groups to conduct operations.  

While nation-states can utilise cyber actors for various means, APT groups frequently engage in espionage activities, which are long running and stealthy.

COVID-19 and the cyber threat intelligence landscape  

As we have covered several times, the COVID-19 pandemic shaped every aspect of 2020, including the cyber threat landscape. 

Google noted in its update last week that COVID-19’s impacts have continued to drive the threat landscape.

Early on in the pandemic, cyber actors leveraged the fear, uncertainty, and doubt surrounding the virus to unleash phishing campaigns.

Since then, threat actors have leveraged the shift to remote working to target organisations by exploiting vulnerabilities in telework technologies. They have also exploited already strained bandwidths with Distributed Denial of Service (DDoS) attacks.

Finally, as the pandemic continued, health care providers were increasingly targeted, followed by vaccine-related research entities.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →