Government-backed hackers intent on spreading malware and disinformation online are increasingly posing as members of the press in attempts to fool their targets, according to Google’s own elite team of hackers.
Oft-described as its own internal “counterespionage” agency, Google’s Threat Analysis Group (TAG) tracks cybercriminals and spies operating on behalf of governments, while working to unearth critical vulnerabilities outside Google. Its latest report focuses largely on state-sponsored phishing campaigns, most of which target user credentials.
TAG security engineer Toni Gidwani wrote on Thursday that her team had issued nearly 40,000 warnings to users worldwide in 2019, a 25 percent drop from the previous year. Gidwani attributes the slide, in part, to Google’s own security enhancements, which are forcing hackers to be “more deliberate in their attempts,” she said.
Among the trends recognized by TAG in recent months, state-sponsored hackers are increasingly portraying themselves as journalists online, according to Gidwani, who fingered Iran and North Korea as top offenders. The goal in some cases is to spread propaganda. Masquerading as journalists and news outlets, the hackers attempt to “seed false stories” among legitimate news sources.
In other cases, Gidwani writes, the hackers attempt to “build a rapport with a journalist or foreign policy expert” with the goal of convincing them to open malicious email attachments. “Government-backed attackers regularly target foreign policy experts for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks,” she said.
TAG also provided an update on its efforts to track Sandworm, a Russia-nexus threat group that Google first caught spreading Android malware in South Korea in 2017. TAG’s work aided the company in detecting the malware on Google Play where Sandworm had uploaded several of its own apps. Sandworm is also known for targeting industrial control systems, particularly in Ukraine. An attack on Ukraine’s energy grid in 2016, for example, left one-fifth of Kiev’s residents temporarily without power.
Sandworm is credited with the 2018 Olympics cyberattack known as “Olympic Destroyer,” described in great detail by long-time Wired reporter Andy Greenberg in his 2019 book Sandworm.
TAG’s update on the group’s activities includes a graph mapping out its most heavily targeted sectors over time.
Another unidentified group of hackers made use of five zero-day vulnerabilities to target North Koreans last year, according to TAG. The attacks were carried out by exploiting flaws in Internet Explorer, Chrome, and Windows.
“TAG actively hunts for these types of attacks because they are particularly dangerous and have a high rate of success, although they account for a small number of the overall total,” Gidwani wrote. (TAG’s blog includes a breakdown of the specific vulnerabilities used in the attacks on North Koreans, only a few thousand of which are believed to have any kind of online access.)
According to Gidwani, TAG plans to release a future update describing cyberattacks linked to the coronavirus outbreak, which has killed nearly 27,000 people worldwide, according to the Center for Systems Science and Engineering at Johns Hopkins University.