Google has revealed that between July and September, state-sponsored hacker groups launched thousands of phishing attacks targeting dissidents and activists in 149 countries, and over 90% of such attacks involved attackers attempting to access online account credentials of targeted people.
In the three month period, Google's Threat Analysis Group (TAG) sent more than 12,000 warnings to dissidents and activists in 149 countries to warn them that state-sponsored hacker groups had launched phishing attacks against them in an attempt to steal their online credentials or to gain access to their devices.
Google is urging such targeted people, such as journalists, human rights activists, and political campaigners to enroll in its Advanced Protection Programme which "utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings".
According to Google's Threat Analysis Group, a state-sponsored Russian hacker group known as Sandworm has launched several campaigns in the past couple of years to deploy Android malware into targeted devices. Sandworm's tactics include modifying legitimate Android applications with malware, uploading such app to the Play Store, and hijacking devices in which such apps are downloaded.
The team noted that the technique was used in December 2017 targeting users in South Korea (around which time Russian hackers also targeted organisations associated with the Winter Olympics in response to the ban imposed on Russia), in September 2017 when Sandworm deployed a fake version of the UKR.net email app on the Play Store, and in November 2018 when the hacker group tried to upload malicious apps to compromising legitimate developers.
In the same month, the state-sponsored hacker group also targeted software and mobile app developers in Ukraine via spear phishing emails with malicious attachments and succeeded in compromising an app developer with several published Play Store apps.
State-sponsored hacker groups are also carrying out large-scale disinformation campaigns
In a blog post, Shane Huntley, Director of Google's Threat Analysis Group, said that his group also took action against disinformation campaigns launched by state-sponsored hacker groups. One such campaign involved the use of inauthentic news outlets in the Central African Republic, Sudan, Madagascar, and South Africa to promote Russian interests in Africa. In response, Google terminated Google accounts and 15 YouTube channels associated with the disinformation campaign.
"TAG tracks more than 270 targeted or government-backed groups from more than 50 countries. These groups have many goals including intelligence collection, stealing intellectual property, targeting dissidents and activists, destructive cyber attacks, or spreading coordinated disinformation. We use the intelligence we gather to protect Google infrastructure as well as users targeted with malware or phishing.
"Going forward, our goal is to give more updates on the attacks that TAG detects and stops. Our hope is that shining more light on these actors will be helpful to the security community, deter future attacks, and lead to better awareness and protections among high-risk targets," Huntley added.
Commenting on a large number of phishing attacks launched by state-sponsored hacker groups targeting dissidents, activists, and journalists, Piers Wilson, Head of Product Management at Huntsman Security told TEISS that Google's announcement highlights that anyone could be a target of nation-state attacks.
"You might assume you’re not of interest to government-backed attackers, but even someone only tangentially related to people or organisations in power could be a way into that target and so a valid target themselves.
"This should serve as a stark warning to organisations that the potential entry points for attack stretch way beyond their assumed borders. Endpoint security can only do so much, so organisations must be constantly vigilant of the signs for a potential attack," he added.
"The accurate and targeted nature of these phishing attacks on high-value clients of Google shows just how difficult it is getting for people to know what they can and can’t trust online. What’s especially concerning in this example is the sophistication and convincing nature of these phishing attacks and malware campaigns," said Cesar Cerrudo, CTO at IOActive.
"Everyone needs to be doing their due diligence, there’s no excuse for a lack of basic security hygiene, so I would urge people to use strong passwords and do not reuse them – certainly try to keep work and non-work products separate if you think your personal accounts are weaker.
"If you are in a position where you could be a target of an even more determined adversary – say you are a journalist, or a government official, or CEO – then you should be taking even more precautions and use multi-factor authentication everywhere that it’s possible. In general, avoid clicking on links unless you are sure they are safe and install strong protections on your endpoint devices," he added.