Google says it tracks 270 state-sponsored groups based across 50+ countries

The Google Threat Analysis Group said today that its security researchers are currently tracking more than 270 different government-backed threat actors activating from inside more than 50 countries.

The figure includes groups engaged in both cyber-espionage operations, but also disinformation campaigns, Google said in a report today.

When attacks performed by these groups include phishing emails, Google said it also sends email alerts to the targeted Gmail users.

"So far in 2021, we've sent over 50,000 warnings, a nearly 33% increase from this time in 2020," Ajax Bash, a Google TAG analyst, said today.

"This spike is largely due to blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear," Bash added.

Huh. I've had security warnings before, but this one just came to me hours after a similar Google alert to my @theatlantic colleague @JamesFallows. Both of us already use Advanced Protection. https://t.co/UptU2rrVIr pic.twitter.com/lk2JTrBLh5

— Barton Gellman (@bartongellman) October 7, 2021

But even if APT28 was responsible for the largest attack this year, Bash said that another group was more active, namely APT35. Also tracked as Charming Kitten, APT 35, Newscaster, Ajax Security Team, Phosphorus, and Group 83, the group is believed to operate under the protection of the Iranian government.

"For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government," Bash said.

Past attacks included several phishing emails modeled around the Munich Security and the Think-20 (T20) Italy political conferences and the use of a spyware-infested VPN app uploaded on the Google Play Store.

In 2021, the group hacked the website of the School of Oriental and African Studies (SOAS) at the University of London, and used it to host a phishing kit.

The group then went on to send email messages with links to the hacked site to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo.

"Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices," Bash said, referring to a campaign documented earlier this year by Proofpoint.