Cyber threat actors being tracked by Google revealed for 2021

Share:

Share on facebook
Share on twitter
Share on linkedin

Google has released the number of nation-state backed cyber threat actors it is currently tracking, and it isn’t pretty. It tracks some 270+ groups across some 50 nation states.

The Google Threat Analysis Group revealed last week the number of stated backed cyber threat actors it actively monitors.

The company revealed that its researchers are currently tracking more than 270 government-backed threat actors from 50 countries.

The figure includes groups engaged in both cyber-espionage operations, but also disinformation campaigns, Google said in the report.

On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings.

While that statistic alone is mind-boggling, the company also put a spotlight on APT35, an Iran-backed cyber threat actor. This group has hijacked accounts, deployed malware, and spied on users using “novel techniques” in recent years. More on that group below.

Google reveals phishing trends for 2021 – and what it does about them

When attacks performed by these groups include phishing emails, Google said it sends email alerts to the targeted Gmail users.

So far in 2021, Google has sent over 50,000 warnings to email addresses that have been the subject of a phishing attack.

Google also stated that this amounted to a nearly 33% increase when compared to the same time last year. This increase is attributable to a large campaign launched by the Russian-sponsored group Fancy Bear outfit. U.S. and UK agencies found that Fancy Bear had been on a worldwide password guessing spree since mid-2019.

Cyber threat actor group “APT35” gains notoriety

While analysts often note APT28 as the group to watch, Google said that another group was just as important: APT35.

Also known as “Charming Kitten”, APT 35, Newscaster, Ajax Security Team, Phosphorus, and Group 83, the group operates under the protection of the Iranian government.

“For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government,” a Google analyst said.

Past attacks included several phishing emails modelled around the Munich Security and the Think-20 (T20) Italy political conferences and the use of a spyware-infested VPN app uploaded on the Google Play Store.

The APT 35 Group operates under the protection of the Iranian government.
The APT 35 Group is understood to operate under the protection of the Iranian government

In 2021, the group hacked the website of the School of Oriental and African Studies (SOAS) at the University of London, and used it to host a phishing kit.

The group then went on to send email messages with links to the hacked site to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo.

APTs: The advanced sort of cyber threat actors

“APT” stands for “Advanced Persistent Threat”.

By definition, APT groups are advanced cyber actors using sophisticated techniques to target victims. 

Cyber threat actors conduct espionage operations to steal sensitive data, such as intellectual property or military intelligence, which can lead to significant competitive advantages in the geopolitical and economic spheres. In many cases, nation-states sponsor these groups to conduct operations.  

While nation-states can utilise cyber actors for various means, APT groups frequently engage in espionage activities, which are long running and stealthy.

COVID-19 and the cyber threat intelligence landscape  

As we have covered several times, the COVID-19 pandemic shaped every aspect of 2020, including the cyber threat landscape. 

Google noted in its update last week that COVID-19’s impacts have continued to drive the threat landscape.

Early on in the pandemic, cyber actors leveraged the fear, uncertainty, and doubt surrounding the virus to unleash phishing campaigns.

Since then, threat actors have leveraged the shift to remote working to target organisations by exploiting vulnerabilities in telework technologies. They have also exploited already strained bandwidths with Distributed Denial of Service (DDoS) attacks.

Finally, as the pandemic continued, health care providers were increasingly targeted, followed by vaccine-related research entities.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.