When the Iranian hacking group APT35 wants to know if one of its digital lures has gotten a bite, all it has to do is check Telegram. Whenever someone visits one of the copycat sites they’ve set up, a notification appears in a public channel on the messaging service, detailing the potential victim’s IP address, location, device, browser, and more. It’s not a push notification; it’s a phish notification.
Google’s Threat Analysis Group outlined the novel technique as part of a broader look at APT35, also known as Charming Kitten, a state-sponsored group that has spent the last several years trying to get high-value targets to click on the wrong link and cough up their credentials. And while APT35 isn’t the most successful or sophisticated threat on the international stage—this is the same group, after all, that accidentally leaked hours of videos of themselves hacking—their use of Telegram stands out as an innovative wrinkle that could pay dividends.
The group uses a variety of approaches to try to get people to visit their phishing pages in the first place. Google outlined a few scenarios it has observed lately: the compromise of a UK university website, a fake VPN app that briefly snuck into the Google Play Store, and phishing emails in which the hackers pretend to be organizers of real conferences, and attempt to entrap their marks through malicious PDFs, Dropbox links, websites, and more.
In the case of the university website, the hackers direct potential victims to the compromised page, which encourages them to log in with the service provider of their choice—everything from Gmail to Facebook to AOL is on offer—to view a webinar. If you enter your credentials, they go straight to APT35, which also asks for your two-factor authentication code. It’s a technique so old it’s got whiskers on it; APT35 has been running it since 2017 to target people in government, academia, national security, and more.
The fake VPN isn’t especially innovative, either, and Google says it booted the app from its store before anyone managed to download it. If anyone had fallen for the ruse, though—or does install it on another platform where it’s still available—the spyware can steal call logs, texts, location data, and contacts.
Frankly, APT35 are not exactly overachievers. While they convincingly impersonated officials from the Munich Security conference and Think-20 Italy in recent years, that too is straight out of Phishing 101. “This is a very prolific group that has a wide target set, but that wide target set is not representative of the level of success the actor has,” says Ajax Bash, security engineer at Google TAG. “Their success rate is actually very low.”
This new use of Telegram, though, bears a mention. APT35 embeds javascript in its phishing pages that’s designed to notify them every time the page loads; it manages those notifications through a bot it creates with the Telegram API sendMessage function. The setup gives the attackers instant information about not only whether they successfully got someone to click the wrong link, but where that person is, what device they’re on, and a wealth of other useful information. “Within the context of phishing, they can see if the targeted user clicked the link, or if the page was being analyzed by Google Safe Browsing,” says Bash. “This helps them better engage with the target via follow-up emails because they’ll know the email reached the target, was opened, read and link clicked.”
Hackers have abused Telegram before; in April, security firm Check Point found that the platform was being used as part of the command and control infrastructure for malware it called ToxicEye. And the company has taken plenty of flack for its failure to keep extremists and scammers off its channels. But while APT35’s use of Telegram bots as a notification service is less extreme than those abuses, it’s also much harder to proactively detect.
