Government-backed hackers impersonate journalists in attempts to spread malicious email attachments and disinformation to newsreaders, according to Google’s own elite hacker team.
Often described as Google’s in-house ‘counter-espionage’ agency, the Threat Analysis Group (TAG) follows cyber criminals and spies operating on behalf of governments as they work to identify critical vulnerabilities outside of Google. The group final report focuses largely on state-sponsored phishing campaigns, the vast majority of which target user credentials.
TAG security engineer Toni Gidwani wrote on Thursday that her team issued nearly 40,000 warnings to users around the world in 2019, down 25 percent from the previous year. Gidwani attributes this shift in part to Google’s own security enhancements, which compel hackers to be “more intentional in their efforts,” she said.
One of the trends that TAG has recognized in recent months has been state-sponsored hackers increasingly portraying themselves as online journalists, said Gidwani, who named Iran and North Korea as top offenders. In some cases, the goal is to spread propaganda. The hackers, disguised as journalists and news outlets, are trying to spread “false stories” among legitimate news sources.
In other cases, Gidwani writes, the hackers attempt to “bond with a journalist or foreign policy expert” with the aim of convincing them to open malicious email attachments. “Government-backed attackers regularly target foreign policy experts for their research, access to the organizations they work with, and affiliation with fellow researchers or policy makers for subsequent attacks,” she said.
TAG also updated its efforts to track Sandworm, a Russia-nexus threat group that first caught Google spreading Android malware in South Korea in 2017. TAG’s work helped the company detect the malware on Google Play, where Sandworm has several of its own apps. Sandworm is also known for its industrial control systems, especially in Ukraine. For example, in an attack on the Ukrainian energy network in 2016, one-fifth of Kiev residents left temporarily without power.
Sandworm, also known as Iridium of Hades, was also behind the cyber attack on the 2018 Olympics – known as ‘Olympic Destroyer’ – which is linked to GRU, the Russian military intelligence agency. (The attack is described in great detail in a 2019 book, also called Sandworm written by longtime wired reporter Andy Greenberg.)
TAG’s update on the group’s activities includes a graph that shows the most targeted sectors over time.
Another unidentified group of hackers took advantage of five zero-day vulnerabilities target North Koreans last year, according to TAG. The attacks were carried out by exploiting errors in Internet Explorer, Chrome and Windows.
“TAG actively pursues these types of attacks because they are particularly dangerous and have a high conversion rate, although they account for a small number of the total,” Gidwani wrote. (TAG’s blog includes a breakdown of the specific vulnerabilities used in the attacks on North Koreans, believed to be only a few thousand of them with any form of online access.)
According to Gidwani, TAG plans to release a future update that describes cyber-attacks related to the coronavirus outbreak, which has killed nearly 27,000 people worldwide, according to the Center for Systems Science and Engineering at Johns Hopkins University.