Google highlights Indian 'hack-for-hire' companies in new TAG report

Google also discloses seven coordinated political influence campaigns that took place on its platforms during Q1 2020.
Written by Catalin Cimpanu, Contributor

The Google Threat Analysis Group (TAG), a division inside Google's security department that tracks nation-state and high-end cybercrime groups, has published today its inaugural TAG quarterly report.

In the Q1 2020 TAG Bulletin, Google analysts chose to highlight two rising trends the company saw in the first three months of 2020.

The first is the rising scene of hack-for-fire companies currently operating out of India, a country where such services have not been prominent until now.

The second trend was the rising number of political influence operations carried out by governments across the world. This also marks the first time when Google publishes official disclosures of coordinated influence operations that abused the company's platforms.

Indian hack-for-hire firms

According to Google, attacks that leveraged the coronavirus (COVID-19) theme were one of the most common trends the company saw among nation-state and high-end cybercrime operators in Q1 2020.

While the company saw efforts from Chinese and Iranian hacking groups, there was also a novel set of threat actors exploiting the coronavirus pandemic to launch cyber-attacks.

"We've seen new activity from "hack-for-hire" firms, many based in India, that have been creating Gmail accounts spoofing the WHO," said Shane Huntley, head of Google TAG.

"The accounts have largely targeted business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the US, Slovenia, Canada, India, Bahrain, Cyprus, and the UK."

Huntley says the email lures sent in these campaigns urged individuals to sign up for direct notifications from the WHO to stay informed of COVID-19 related announcements.

The emails linked to attacker-hosted websites that resembled the official WHO website, but featured fake login pages that collected the potential victims' Google credentials, and sometimes more, such as phone number.


One of the fake WHO websites operated by Indian hack-for-hire companies

Image :Google

While there have been many hack-for-hire companies around the world, most are located in the UE, Israel, and some Arab countries. This is the first time that Indian companies are being singled out for their activities, and will most likely draw in more cyber-security firms looking to track their movements.

According to the TAG group, these Indian hack-for-hire firms represent just a few of the more than 270 threat actors from more than 50 countries the Google TAG team is tracking.

Lots and lots of coordinated influence operations

But the Google TAG group also said that they've also tracked and investigated more than hacking in the first three months of the year.

TAG said they've been also looking into groups that have also engaged in coordinated social and political influence operations, since many of these operations are now taking place on Google's network of sites, such as YouTube, the Play Store, AdSense, and the rest of its advertising platforms.

In total, TAG said it tracked seven influence operations in Q1 2020, with some also being taking place and being exposed by Twitter and Facebook as well.


Google terminated three YouTube channels as part of a coordinated influence operation linked to Iran.

Google said it linked the campaign to the Iranian state-sponsored International Union of Virtual Media (IUVM) news organization, which was spreading IUVM content covering Iran's strikes into Iraq and US policy on oil. More details about this campaign are also available in a report from Graphika, a company using AI to study today's social media landscape.


Google also said it terminated one advertising account and 82 YouTube channels that were being used as part of a coordinated influence operation linked to Egypt.

TAG experts said the campaign was sharing political content in Arabic that was supportive of Saudi Arabia, the UAE, Egypt, and Bahrain and was critical of Iran and Qatar.

We found evidence of this campaign being tied to the digital marketing firm New Waves based in Cairo.

Facebook also took action against this campaign as well; campaign that was also detailed in another report from Graphika.


However, March has been Google's most active month, with TAG cracking down on five different influence operations.

  • Three advertising accounts, one AdSense account, and 11 YouTube channels part of a coordinated influence operation linked to India. Google said the campaign was sharing messages in English supportive of Qatar, and was also detailed by both Facebook and Graphika.
  • Google said it banned one Play Store developer and terminated 68 YouTube channels as part of a coordinated influence operation. The campaign was posting political content in Arabic supportive of Turkey and critical of the UAE and Yemen. Twitter also took action in this campaign as well, Google said, altought, we couldn't find a public report on it.
  • Google also terminated one advertising account, one AdSense account, 17 YouTube channels, and banned one Play developer as part of a crackdown against a coordinated influence operation linked to Egypt. Google said the campaign was posting political content in Arabic supportive of Saudi Arabia, the UAE, Egypt, and Bahrain and critical of Iran and Qatar. Twitter also took action against this campaign, and said information they "gained externally" indicated the campaign operators were taking directions from the Egyptian government.
  • Google also banned one Play developer and terminated 78 YouTube channels as part of its actions against a coordinated influence operation linked to Serbia. Google said the campaign promoted pro-Serbian political content. Twitter also terminated 8,558 accounts part of this crackdown, and said most of the accounts were promoting Serbia's ruling party and its leader.
  • Google also shut down 18 YouTube channels that were part of a coordinated influence operation linked to Indonesia. TAG said the campaign targeted the Indonesian provinces of Papua and West Papua with messaging in opposition to the Free Papua Movement. Twitter, too, banned 795 fake accounts for "pushing content from suspicious 'news' websites and promoting pro-government content."

The FBI's most wanted cybercriminals

Editorial standards