Anti-Phishing, DMARC , Cybercrime , Cyberwarfare / Nation-State Attacks

Google: Government-Backed Hackers Targeted 12,000 Users

Technology Giant Issues Warnings to Targeted Individuals Across 149 Countries
Google: Government-Backed Hackers Targeted 12,000 Users
Distribution of Google users targeted by government-backed phishing attacks from July to September (Source: Google)

Google has directly warned more than 12,000 users across 149 countries that they have been targeted by government-backed hackers. Google says the attack attempts occurred in the third quarter of this year.

See Also: TRACE Insights: Exposing Critical ATG Flaws

Shane Huntley, director of Google's Threat Analysis Group, says in a blog post that the warnings were sent out from July to September to users of various Google services, including Gmail, Drive and YouTube.

As part of its attempt to block government-backed groups from hacking its users, Google says that its Threat Analysis Group has been tracking more than 270 threat actors, from more than 50 countries. The technology giant says it regularly warns targeted users about state-sponsored phishing attempts.

Phishing Attacks

For the targeted attacks seen from July to September, Huntley says that over 90 percent of them employed credential-phishing emails designed to steal data or perpetrate account takeovers. "These groups have many goals, including intelligence collection, stealing intellectual property, targeting dissidents and activists, destructive cyberattacks or spreading coordinated disinformation," he says.

In terms of attack volume, Huntley says the number of attack attempts being seen by Google has remained very level, only varying by up to 10 percent compared to 2017 or 2018.

Google says that the U.S. remains the most-targeted nation, drawing thousands of instances of government-backed attack attempts. The other most-targeted countries include South Korea, Pakistan and Vietnam.

Sample lure designed to phish Gmail users (Source: Google)

Although Google has not identified individual phishing attack targets, it has recommended that high-risk users - including journalists, human rights activists, and political campaigners - use defenses designed to block phishing and account hijacking attempts.

Android Devices Targeted

In his blog post, Google’s Huntley notes that some threat groups - such as the Russian government-led hacking group known as Sandworm - specifically targeted Android users in 2017 and 2018.

Sandworm, also known as Iridium, is widely believed to be part of Russia's military intelligence agency, the GU, which was formerly known as the GRU.

While Sandworm has been previously tied to multiple high-profile attacks - including against the U.S Democratic National Committee in 2016, and a 2015 disruption of parts of Ukraine's power grid, Sandworm's Android malware campaigns are relatively less known to the industry, Huntley says.

Sandworm has also targeted Android users in South Korea by running multiple Android malware campaigns between September and December 2017. Attackers' tactics included trojanizing legitimate apps to work as malware and uploading these apps to Google's Play Store, using attacker-controlled developer accounts, Huntley says. "During this campaign in December [2017], Sandworm uploaded eight different apps to the Play Store," he notes.

Malicious apps targeting users in South Korea (Source: Google)

Towards the end of 2018, however, Sandworm switched tactics to target software and mobile app developers in Ukraine via spear-phishing email, he says. "In at least one case, they compromised an app developer with several published Play Store apps - one with more than 200,000 installs," he says. "They did this by adding their implant code into the application package, signing the package with the compromised developer’s key and then uploading it to the Play Store."

In all cases, Google claims that it was able to detect the threats and eliminate the malware before the infection was able to spread on a large scale.

Nation-State Attacks Continue

Other industry reports also point to ongoing nation-state attack activity, if not a rise in such attacks.

Ahead of the 2020 U.S. presidential election, for example, attackers appear to have a heightened interest in using social-engineering capabilities to target various federal agencies and officials.

In October, a report by Microsoft said that Phosphorous - a hacking group linked to the Iranian government - targeted email accounts associated with the Trump 2020 presidential campaign, as well as current and former U.S. government officials, journalists covering global politics, and prominent Iranians expats. Phosphorous is also known as APT35 and Charming Kitten, among other names (see: Microsoft: Iran-Backed Group Targeted a Presidential Campaign).

According to Microsoft, the hacking group targeted 241 different email accounts between August and September.

Another report, released by the U.S. Senate Intelligence Committee in July, found that Russia targeted election systems and infrastructure in all 50 states in the run-up to the 2016 presidential election. (see: Russia Targeted All 50 States During 2016 Election: Report ).

Intelligence officials had also shared a warning earlier at a Senate hearing in February 2018 that Russian activities would continue through the 2018 midterm elections. In the hearing, Director of National Intelligence Dan Coats warned in written testimony that Russia continued to use propaganda, social media, false-flag personas, sympathetic spokespeople and other means to influence election outcomes (see: Russia Will Meddle in US Midterm Elections, Spy Chief Warns).

To address the increasing risk posed by nation-state actors to the U.S election, representatives from the U.S. intelligence establishment met with security officials from Google, Facebook, Microsoft and Twitter in September, to craft the nation's approach to securing the 2020 elections. (see: Feds, Tech Giants Meet to Coordinate 2020 Election Security).

In the discussion, federal employees and corporate representatives discussed means to safeguard the companies' platforms against disinformation campaigns, and to facilitate better information sharing and coordination.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.