Tag Archives: Threat Analysis Group

TAG Bulletin: Q3 2020

This bulletin includes coordinated influence operation campaigns terminated on our platforms in July of 2020. We will continue to update this bulletin with data from Q3 as it becomes available. It was last updated on Sept 15, 2020.

July

We terminated 1 advertising account and 7 YouTube channels as part of our actions against a coordinated influence operation linked to Ecuador. The campaign was linked to the PR firm Estraterra, and posted content in Spanish about former Ecuador government employees. These findings are consistent with similar findings reported by Facebook.


We terminated 299 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese about COVID-19 and current events in Hong Kong. These findings are consistent with our previous reports in the Q2 TAG bulletin.

TAG Bulletin: Q3 2020

This bulletin includes coordinated influence operation campaigns terminated on our platforms in July of 2020. We will continue to update this bulletin with data from Q3 as it becomes available. It was last updated on Sept 15, 2020.

July

We terminated 1 advertising account and 7 YouTube channels as part of our actions against a coordinated influence operation linked to Ecuador. The campaign was linked to the PR firm Estraterra, and posted content in Spanish about former Ecuador government employees. These findings are consistent with similar findings reported by Facebook.


We terminated 299 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese about COVID-19 and current events in Hong Kong. These findings are consistent with our previous reports in the Q2 TAG bulletin.

TAG Bulletin: Q2 2020

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q2 of 2020. It was last updated on August 5, 2020.

April

We terminated 16 YouTube channels, 1 advertising account and 1 AdSense account as part of our ongoing investigation into coordinated influence operations linked to Iran. The campaign was linked to the Iranian state-sponsored International Union of Virtual Media (IUVM) network, and posted content in Arabic related to the U.S. response to COVID-19 and content about Saudi-American relations. We received leads from FireEye and Graphika that supported us in this investigation.


We terminated 15 YouTube channels and 3 blogs as part of our ongoing investigation into coordinated influence operations linked to Russia. The campaign posted content in English and Russian about the EU, Lithuania, Ukraine, and the U.S., similar to the findings in a recent Graphika report called Secondary Infektion. We received leads from Graphika that supported us in this investigation.


We terminated 7 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. The campaign posted content in Russian, German, and Farsi about Russian and Syrian politics and the U.S. response to COVID-19. This campaign was consistent with similar findings reported by Facebook.


We terminated 186 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy, non-political content, but a small subset posted political content primarily in Chinese similar to the findings in a recent Graphika report, including content related to the U.S. response to COVID-19. 


We terminated 3 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Iran. The campaign posted content in Bosnian and Arabic that was critical of the U.S. and the People's Mujahedin Organization of Iran (PMOI). This campaign was consistent with similar findings reported by Facebook.

May

We terminated 1,098 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy, non-political content, but a small subset posted political content primarily in Chinese similar to the findings in a recent Graphika report, including content related to the U.S. response to COVID-19. We received leads from Graphika that supported us in this investigation. 


We terminated 47 YouTube channels and 1 AdSense account as part of our ongoing investigation into coordinated influence operations linked to Russia. The campaign posted content in a coordinated manner primarily in Russian about domestic Russian and international policy issues. This campaign was consistent with similar findings reported by Facebook.

June

We terminated 1,312 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy, non-political content, but a subset posted political content primarily in Chinese similar to the findings in a recent Graphika report, including content related to racial justice protests in the U.S. This campaign was consistent with similar findings reported by Twitter. 


We terminated 17 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. The campaign posted comments in Russian in a coordinated manner under a small set of Russian language videos. This campaign was consistent with similar findings reported by Twitter.


We banned 3 Play Developers and terminated 1 advertising account as part of our actions against a coordinated influence operation. The campaign was posting news content in English and French, targeting audiences in Africa. We found evidence of this campaign being tied to the PR company Ureputation based in Tunisia. This campaign was consistent with similar findings reported by Facebook.

TAG Bulletin: Q1 2020

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 of 2020. It was last updated on May 27, 2020.

January

We terminated 3 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Iran. The campaign was linked to the Iranian state-sponsored International Union of Virtual Media (IUVM) network, and was reproducing IUVM content covering Iran’s strikes into Iraq and U.S. policy on oil. We received leads from Graphika that supported us in this investigation.

February

We terminated 1 advertising account and 82 YouTube channels as part of our actions against a coordinated influence operation linked to Egypt. The campaign was sharing political content in Arabic supportive of Saudi Arabia, the UAE, Egypt, and Bahrain and critical of Iran and Qatar. We found evidence of this campaign being tied to the digital marketing firm New Waves based in Cairo. This campaign was consistent with similar findings reported by Facebook.

March

We terminated 3 advertising accounts, 1 AdSense account, and 11 YouTube channels as part of our actions against a coordinated influence operation linked to India. The campaign was sharing messages in English supportive of Qatar. This campaign was consistent with similar findings reported by Facebook.


We banned 1 Play developer and terminated 68 YouTube channels as part of our actions against a coordinated influence operation. The campaign was posting political content in Arabic supportive of Turkey and critical of the UAE and Yemen. This campaign was consistent with similar findings reported by Twitter.


We terminated 1 advertising account, 1 AdSense account, 17 YouTube channels and banned 1 Play developer as part of our actions against a coordinated influence operation linked to Egypt. The campaign was posting political content in Arabic supportive of Saudi Arabia, the UAE, Egypt, and Bahrain and critical of Iran and Qatar. This campaign was consistent with similar findings reported by Twitter.


We banned 1 Play developer and terminated 78 YouTube channels as part of our actions against a coordinated influence operation linked to Serbia. The domestic campaign was posting pro-Serbian political content. This campaign was consistent with similar findings reported by Twitter.


We terminated 18 YouTube channels as part of our continued investigation into a coordinated influence operation linked to Indonesia. The domestic campaign was targeting the Indonesian provinces Papua and West Papua with messaging in opposition to the Free Papua Movement. This campaign was consistent with similar findings reported by Twitter.

Updates about government-backed hacking and disinformation

On any given day, Google's Threat Analysis Group (TAG) is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. Our team of analysts and security experts is focused on identifying and stopping issues like phishing campaigns, zero-day vulnerabilities and hacking against Google, our products and our users. Today, we’re sharing recent findings on government-backed phishing, threats and disinformation, as well as a new bulletin to share information about actions we take against accounts that we attribute to coordinated influence campaigns. 

Hacking and phishing attempts 

Last month, we sent 1,755 warnings to users whose accounts were targets of government-backed attackers. 

pasted image 0 (1).png

Distribution of the targets of government-backed phishing attempts in April 2020

Generally, 2020 has been dominated by COVID-19. The pandemic has taken center stage in people’s everyday lives, in the international news media, and in the world of government-backed hacking. Recently, we shared information on numerous COVID-themed attacks discovered and confirmed by our teams. We continue to see attacks from groups like Charming Kitten on medical and healthcare professionals, including World Health Organization (WHO) employees. And as others have reported, we’re seeing a resurgence in COVID-related hacking and phishing attempts from numerous commercial and government-backed attackers.

As one example, we've seen new activity from “hack-for-hire” firms, many based in India, that have been creating Gmail accounts spoofing the WHO. The accounts have largely targeted business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the U.S., Slovenia, Canada, India, Bahrain, Cyprus, and the UK. The lures themselves encourage individuals to sign up for direct notifications from the WHO to stay informed of COVID-19 related announcements, and link to attacker-hosted websites that bear a strong resemblance to the official WHO website. The sites typically feature fake login pages that prompt potential victims to give up their Google account credentials, and occasionally encourage individuals to give up other personal information, such as their phone numbers. 

pasted image 0 (2).png

Example of a spoofed WHO Newsletter sign-up prompt

To help protect users against these kinds of tracks, our Advanced Protection Program (APP) utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings. APP was designed specifically for high-risk accounts.  

Coordinated influence operations 

Government-backed or state-sponsored groups have different goals in carrying out their attacks: Some are looking to collect intelligence or steal intellectual property; others are targeting dissidents or activists, or attempting to engage in coordinated influence operations and disinformation campaigns. Our products are designed with robust built-in security features, like Gmail protections against phishing and Safe Browsing in Chrome, but we still dedicate significant resources to developing new tools and technology to help identify, track and stop this kind of activity. In addition to our internal investigations, we work with law enforcement, industry partners, and third parties like specialized security firms to assess and share intelligence. 

When we find attempts to conduct coordinated influence operations on our platforms, we work with our Trust & Safety teams to swiftly remove such content from our platforms and terminate these actors’ accounts. We take steps to prevent possible future attempts by the same actors, and routinely exchange information and share our findings with others in the industry. We’ve also shared occasional updates about this kind of activity, and today we’re introducing a more streamlined way of doing this via a new, quarterly bulletin to share information about actions we take against accounts that we attribute to coordinated influence campaigns (foreign and domestic). Our actions against coordinated influence operations from January, February and March can be found in the Q1 Bulletin

Since March, we’ve removed more than a thousand YouTube channels that we believe to be part of a large campaign and that were behaving in a coordinated manner. These channels were mostly uploading spammy, non-political content, but a small subset posted primarily Chinese-language political content similar to the findings of a recent Graphika report. We’ll also share additional removal actions from April and May in the Q2 Bulletin. 

Our hope is that this new bulletin helps others who are also working to track these groups, such as researchers studying this issue, and we hope these updates can help confirm findings from security firms and others in the industry. We will also continue to share more detailed analysis of vulnerabilities we find, phishing and malware campaigns that we see, and other interesting or noteworthy trends across this space.

Findings on COVID-19 and online security threats

Google’s Threat Analysis Group (TAG) is a specialized team of security experts that works to identify, report, and stop government-backed phishing and hacking against Google and the people who use our products. We work across Google products to identify new vulnerabilities and threats. Today we’re sharing our latest findings and the threats we’re seeing in relation to COVID-19.


COVID-19 as general bait

Hackers frequently look at crises as an opportunity, and COVID-19 is no different. Across Google products, we’re seeing bad actors use COVID-related themes to create urgency so that people respond to phishing attacks and scams. Our security systems have detected examples ranging from fake solicitations for charities and NGOs, to messages that try to mimic employer communications to employees working from home, to websites posing as official government pages and public health agencies. Recently, our systems have detected 18 million malware and phishing Gmail messages per day related to COVID-19, in addition to more than 240 million COVID-related daily spam messages. Our machine learning models have evolved to understand and filter these threats, and we continue to block more than 99.9 percent of spam, phishing and malware from reaching our users.

How government-backed attackers are using COVID-19

TAG has specifically identified over a dozen government-backed attacker groups using COVID-19 themes as lure for phishing and malware attempts—trying to get their targets to click malicious links and download files.
Location of users targeted by government-backed COVID-19 related attacks

Location of users targeted by government-backed COVID-19 related attacks

One notable campaign attempted to target personal accounts of U.S. government employees with phishing lures using American fast food franchises and COVID-19 messaging. Some messages offered free meals and coupons in response to COVID-19, others suggested recipients visit sites disguised as online ordering and delivery options. Once people clicked on the emails, they were presented with phishing pages designed to trick them into providing their Google account credentials. The vast majority of these messages were sent to spam without any user ever seeing them, and we were able to preemptively block the domains using Safe Browsing. We’re not aware of any user having their account compromised by this campaign, but as usual, we notify all targeted users with a “government-backed attacker” warning.

We’ve also seen attackers try to trick people into downloading malware by impersonating health organizations:

attackers impersonating health organizations

International and national health organizations are becoming targets 

Our team also found new, COVID-19-specific targeting of international health organizations, including activity that corroborates reporting in Reuters earlier this month and is consistent with the threat actor group often referred to as Charming Kitten. The team has seen similar activity from a South American actor, known externally as Packrat, with emails that linked to a domain spoofing the World Health Organization’s login page. These findings show that health organizations, public health agencies, and the individuals who work there are becoming new targets as a result of COVID-19. We're proactively adding extra security protections, such as higher thresholds for Google Account sign in and recovery, to more than 50,000 of such high-risk accounts.
Contact message from Charming Kitten and packrat phishing page

Left: Contact message from Charming Kitten. Right: Packrat phishing page

Generally, we’re not seeing an overall rise in phishing attacks by government-backed groups; this is just a change in tactics. In fact, we saw a slight decrease in overall volumes in March compared to January and February. While it’s not unusual to see some fluctuations in these numbers, it could be that attackers, just like many other organizations, are experiencing productivity lags and issues due to global lockdowns and quarantine efforts.

Accounts that received a “government-backed attacker” warning in 2020

Accounts that received a “government-backed attacker” warning each month of 2020

When working to identify and prevent threats, we use a combination of internal investigative tools, information sharing with industry partners and law enforcement, as well as leads and intelligence from third-party researchers. To help support this broader security researcher community, Google is providing more than $200,000 in grants as part of a new Vulnerability Research Grant COVID-19 fund for Google VRP researchers who help  identify various vulnerabilities.


As the world continues to respond to COVID-19, we expect to see new lures and schemes. Our teams continue to track these and stop them before they reach people—and we’ll continue to share new and interesting findings.


Identifying vulnerabilities and protecting you from phishing

Google’s Threat Analysis Group (TAG) works to counter targeted and government-backed hacking against Google and the people who use our products. Following our November update, today we’re sharing the latest insights to fight phishing, and for security teams, providing more details about our work identifying attacks against zero-day vulnerabilities. 

Protecting you from phishing

We have a long-standing policy to send you a warning if we detect that your account is a target of government-backed phishing or malware attempts. In 2019, we sent almost 40,000 warnings, a nearly 25 percent drop from 2018. One reason for this decline is that our new protections are working—attackers' efforts have been slowed down and they’re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt.

Distribution of the targets of government-backed phishing in 2019

Distribution of the targets of government-backed phishing in 2019.

We’ve detected a few emerging trends in recent months.

Impersonating news outlets and journalists is on the rise

Upon reviewing phishing attempts since the beginning of this year, we’ve seen a rising number of attackers, including those from Iran and North Korea, impersonating news outlets or journalists. For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation. In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email. Government-backed attackers regularly target foreign policy experts for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks. 

Heavily targeted sectors are (mostly) not surprising

Government-backed attackers continue to consistently target geopolitical rivals, government officials, journalists, dissidents and activists. The chart below details the Russian threat actor group SANDWORM’s targeting efforts (by sector) over the last three years.

Distribution of targets by sector by the Russian threat actor known as SANDWORM

Government-backed attackers repeatedly go after their targets

In 2019, one in five accounts that received a warning was targeted multiple times by attackers. If at first the attacker does not succeed, they’ll try again using a different lure, different account, or trying to compromise an associate of their target.

We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program (APP), even if they are repeatedly targeted. APP provides the strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts. 

Finding attacks that leverage zero-day vulnerabilities

Zero-day vulnerabilities are unknown software flaws. Until they’re identified and fixed, they can be exploited by attackers. TAG actively hunts for these types of attacks because they are particularly dangerous and have a high rate of success, although they account for a small number of the overall total. When we find an attack that takes advantage of  a zero-day vulnerability, we report the vulnerability to the vendor and give them seven days to patch or produce an advisory or we release an advisory ourselves

We work across all platforms, and in 2019 TAG discovered zero-day vulnerabilities affecting Android, Chrome, iOS, Internet Explorer and Windows. Most recently, TAG was acknowledged in January 2020 for our contribution in identifying CVE-2020-0674, a remote code execution vulnerability in Internet Explorer. 

Last year, TAG discovered that a single threat actor was capitalizing on five zero-day vulnerabilities. Finding this many zero-day exploits from the same actor in a relatively short time frame is rare. The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns. The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues.

For security teams interested in learning more, here are additional details about the exploits and our work in 2019:

The vulnerabilities underlying these exploits included:

The following technical details are associated with the exploits and can be used for teams interested in conducting further research on these attacks:

  • CVE-2018-8653, CVE-2019-1367 and CVE-2020-0674 are vulnerabilities inside jscript.dll, therefore all exploits enabled IE8 rendering and used JScript.Compact as JS engine.

  • In most Internet Explorer exploits, attackers abused the Enumerator object in order to gain remote code execution. 

  • To escape from the Internet Explorer EPM sandbox, exploits used a technique consisting of replaying the same vulnerability inside svchost by abusing Web Proxy Auto-Discovery (WPad) Service. Attackers abused this technique with CVE-2020-0674 on Firefox to escape the sandbox after exploiting CVE-2019-17026.

  • CVE-2019-0676 is a variant of CVE-2017-0022, CVE-2016-3298, CVE-2016-0162 and CVE-2016-3351 where the vulnerability resided inside the handling of “res://” URI scheme. Exploiting CVE-2019-0676 enabled attackers to reveal presence or non-presence of files on the victim’s computer; this information was later used to decide whether or not a second stage exploit should be delivered.

  • The attack vector for CVE-2019-1367 was rather atypical as the exploit was delivered from an Office document abusing the online video embedding feature to load an external URL conducting the exploitation.

Our Threat Analyst Group will continue to identify bad actors and share relevant information with others in the industry. Our goal is to bring awareness to these issues to protect you and fight bad actors to prevent future attacks. In a future update, we’ll provide details on attackers using lures related to COVID-19 and expected behavior we’re observing (all within the normal range of attacker activity). 

Identifying vulnerabilities and protecting you from phishing

Google’s Threat Analysis Group (TAG) works to counter targeted and government-backed hacking against Google and the people who use our products. Following our November update, today we’re sharing the latest insights to fight phishing, and for security teams, providing more details about our work identifying attacks against zero-day vulnerabilities. 

Protecting you from phishing

We have a long-standing policy to send you a warning if we detect that your account is a target of government-backed phishing or malware attempts. In 2019, we sent almost 40,000 warnings, a nearly 25 percent drop from 2018. One reason for this decline is that our new protections are working—attackers' efforts have been slowed down and they’re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt.

Distribution of the targets of government-backed phishing in 2019

Distribution of the targets of government-backed phishing in 2019.

We’ve detected a few emerging trends in recent months.

Impersonating news outlets and journalists is on the rise

Upon reviewing phishing attempts since the beginning of this year, we’ve seen a rising number of attackers, including those from Iran and North Korea, impersonating news outlets or journalists. For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation. In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email. Government-backed attackers regularly target foreign policy experts for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks. 

Heavily targeted sectors are (mostly) not surprising

Government-backed attackers continue to consistently target geopolitical rivals, government officials, journalists, dissidents and activists. The chart below details the Russian threat actor group SANDWORM’s targeting efforts (by sector) over the last three years.

Distribution of targets by sector by the Russian threat actor known as SANDWORM

Government-backed attackers repeatedly go after their targets

In 2019, one in five accounts that received a warning was targeted multiple times by attackers. If at first the attacker does not succeed, they’ll try again using a different lure, different account, or trying to compromise an associate of their target.

We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program (APP), even if they are repeatedly targeted. APP provides the strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts. 

Finding attacks that leverage zero-day vulnerabilities

Zero-day vulnerabilities are unknown software flaws. Until they’re identified and fixed, they can be exploited by attackers. TAG actively hunts for these types of attacks because they are particularly dangerous and have a high rate of success, although they account for a small number of the overall total. When we find an attack that takes advantage of  a zero-day vulnerability, we report the vulnerability to the vendor and give them seven days to patch or produce an advisory or we release an advisory ourselves

We work across all platforms, and in 2019 TAG discovered zero-day vulnerabilities affecting Android, Chrome, iOS, Internet Explorer and Windows. Most recently, TAG was acknowledged in January 2020 for our contribution in identifying CVE-2020-0674, a remote code execution vulnerability in Internet Explorer. 

Last year, TAG discovered that a single threat actor was capitalizing on five zero-day vulnerabilities. Finding this many zero-day exploits from the same actor in a relatively short time frame is rare. The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns. The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues.

For security teams interested in learning more, here are additional details about the exploits and our work in 2019:

The vulnerabilities underlying these exploits included:

The following technical details are associated with the exploits and can be used for teams interested in conducting further research on these attacks:

  • CVE-2018-8653, CVE-2019-1367 and CVE-2020-0674 are vulnerabilities inside jscript.dll, therefore all exploits enabled IE8 rendering and used JScript.Compact as JS engine.

  • In most Internet Explorer exploits, attackers abused the Enumerator object in order to gain remote code execution. 

  • To escape from the Internet Explorer EPM sandbox, exploits used a technique consisting of replaying the same vulnerability inside svchost by abusing Web Proxy Auto-Discovery (WPad) Service. Attackers abused this technique with CVE-2020-0674 on Firefox to escape the sandbox after exploiting CVE-2019-17026.

  • CVE-2019-0676 is a variant of CVE-2017-0022, CVE-2016-3298, CVE-2016-0162 and CVE-2016-3351 where the vulnerability resided inside the handling of “res://” URI scheme. Exploiting CVE-2019-0676 enabled attackers to reveal presence or non-presence of files on the victim’s computer; this information was later used to decide whether or not a second stage exploit should be delivered.

  • The attack vector for CVE-2019-1367 was rather atypical as the exploit was delivered from an Office document abusing the online video embedding feature to load an external URL conducting the exploitation.

Our Threat Analyst Group will continue to identify bad actors and share relevant information with others in the industry. Our goal is to bring awareness to these issues to protect you and fight bad actors to prevent future attacks. In a future update, we’ll provide details on attackers using lures related to COVID-19 and expected behavior we’re observing (all within the normal range of attacker activity). 

Protecting users from government-backed hacking and disinformation

Google's Threat Analysis Group (TAG) works to counter targeted and government-backed hacking against Google and our users. This is an area we have invested in deeply for over a decade. Our daily work involves detecting and defeating threats, and warning targeted users and customers about the world’s most sophisticated adversaries, spanning the full range of Google products including Gmail, Drive and YouTube.

In the past, we’ve posted on issues like phishing campaigns, vulnerabilities and disinformation. Going forward, we’ll share more technical details and data about the threats we detect and how we counter them to advance the broader digital security discussion.

TAG tracks more than 270 targeted or government-backed groups from more than 50 countries. These groups have many goals including intelligence collection, stealing intellectual property, targeting dissidents and activists, destructive cyber attacks, or spreading coordinated disinformation. We use the intelligence we gather to protect Google infrastructure as well as users targeted with malware or phishing.

Phishing

We’ve had a long-standing policy to send users warnings if we detect that they are the subject of state-sponsored phishing attempts, and have posted periodically about these before. From July to September 2019, we sent more than 12,000 warnings to users in 149 countries that they were targeted by government-backed attackers. This is consistent (+/-10%) with the number of warnings sent in the same period of 2018 and 2017.

govt backed phishing targets in q3 2019.png

Distribution of government-backed phishing targets in Q3 (Jul-Sep 2019)

Over 90 percent of these users were targeted via “credential phishing emails” similar to the example below. These are usually attempts to obtain the target’s password or other account credentials to hijack their account. We encourage high-risk users—like journalists, human rights activists, and political campaigns—to enroll in our Advanced Protection Program (APP), which utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings. APP is designed specifically for the highest-risk accounts.

In the simple phishing example below, an attacker has sent a phishing email with a security alert lure from “Goolge” suggesting the user secure their account. The user clicks the link, enters their password, and may also get asked for a security code if they have two-factor authentication enabled, allowing the attacker to access their account.

sample gmail lure.png

Sample lure used to phish Gmail users

Threat detection

Last week at CyberwarCon, we presented analysis about previously undisclosed campaigns from a Russia-nexus threat group called “Sandworm” (also known as “Iridium”). It’s a useful example of the type of detailed threat detection work that TAG does. Although much of Sandworm’s activity targeting Ukraine and their attacks against the 2018 Winter Olympics have been covered publicly, some campaigns have not been reported. 

In December 2017, TAG discovered a series of campaigns from Sandworm attempting to deploy Android malware. The first campaign targeted users in South Korea, where Sandworm was modifying legitimate Android applications with malware. They then uploaded these modified apps to the Play Store using their own attacker-controlled developer accounts. During this campaign, Sandworm uploaded eight different apps to the Play Store, each with fewer than 10 total installs. 

malicious apps targeting users in south korea.png

Malicious apps targeting users in South Korea

We also identified an earlier September 2017 Android campaign from Sandworm where they used similar tactics and deployed a fake version of the UKR.net email app on the Play Store. This application had approximately 1,000 total installs. We worked with our colleagues on the Google Play Protect Team to write detections for this malware family, and eliminate it.

In November 2018, we saw evidence that Sandworm shifted from using attacker-controlled accounts to try and upload malicious apps to compromising legitimate developers. Throughout November, Sandworm targeted software and mobile app developers in Ukraine via spear phishing emails with malicious attachments. In at least one case, they compromised an app developer with several published Play Store apps—one with more than 200,000 installs. 

After compromising the developer, Sandworm built a backdoor in one of the legitimate apps and attempted to publish it on the Play Store. They did this by adding their implant code into the application package, signing the package with the compromised developer’s key, and then uploading it to the Play Store. However, the Google Play Protect team caught the attempt at the time of upload. As a result, no users were infected and we were able to re-secure the developer’s account.

Disinformation

TAG is one part of Google and YouTube’s broader efforts to tackle coordinated influence operations that attempt to game our services. We share relevant threat information on these campaigns with law enforcement and other tech companies. Here are some examples that have been reported recently that TAG worked on:

  • TAG recently took action against Russia-affiliated influence operations targeting several nations in Africa. The operations use inauthentic news outlets to disseminate messages promoting Russian interests in Africa. We have observed the use of local accounts and people to contribute to the operation, a tactic likely intended to make the content appear more genuine. Targeted countries included the Central African Republic, Sudan, Madagascar, and South Africa, and languages used included English, French, and Arabic. Activity on Google services was limited, but we enforced across our products swiftly. We terminated the associated Google accounts and 15 YouTube channels, and we continue to monitor this space. This discovery was consistent with recent observations and actions announced by Facebook. 

  • Consistent with a recent Bellingcat report, TAG identified a campaign targeting the Indonesian provinces Papua and West Papua with messaging in opposition to the Free Papua Movement. Google terminated one advertising account and 28 YouTube channels.

Partnerships

TAG works closely with other technology companies—including platforms and specialized security firms—to share intelligence and best practices. We also share threat information with law enforcement. And of course there are multiple teams at Google at work on these issues with whom we coordinate. 

Going forward, our goal is to give more updates on the attacks that TAG detects and stops. Our hope is that shining more light on these actors will be helpful to the security community, deter future attacks, and lead to better awareness and protections among high-risk targets.