The Google Threat Analysis Group (TAG), a division inside Google's security department that tracks nation-state and high-end cybercrime groups, has published today its inaugural TAG quarterly report.
In the Q1 2020 TAG Bulletin, Google analysts chose to highlight two rising trends the company saw in the first three months of 2020.
The first is the rising scene of hack-for-fire companies currently operating out of India, a country where such services have not been prominent until now.
The second trend was the rising number of political influence operations carried out by governments across the world. This also marks the first time when Google publishes official disclosures of coordinated influence operations that abused the company's platforms.
According to Google, attacks that leveraged the coronavirus (COVID-19) theme were one of the most common trends the company saw among nation-state and high-end cybercrime operators in Q1 2020.
While the company saw efforts from Chinese and Iranian hacking groups, there was also a novel set of threat actors exploiting the coronavirus pandemic to launch cyber-attacks.
"We've seen new activity from "hack-for-hire" firms, many based in India, that have been creating Gmail accounts spoofing the WHO," said Shane Huntley, head of Google TAG.
"The accounts have largely targeted business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the US, Slovenia, Canada, India, Bahrain, Cyprus, and the UK."
Huntley says the email lures sent in these campaigns urged individuals to sign up for direct notifications from the WHO to stay informed of COVID-19 related announcements.
The emails linked to attacker-hosted websites that resembled the official WHO website, but featured fake login pages that collected the potential victims' Google credentials, and sometimes more, such as phone number.
While there have been many hack-for-hire companies around the world, most are located in the UE, Israel, and some Arab countries. This is the first time that Indian companies are being singled out for their activities, and will most likely draw in more cyber-security firms looking to track their movements.
According to the TAG group, these Indian hack-for-hire firms represent just a few of the more than 270 threat actors from more than 50 countries the Google TAG team is tracking.
But the Google TAG group also said that they've also tracked and investigated more than hacking in the first three months of the year.
TAG said they've been also looking into groups that have also engaged in coordinated social and political influence operations, since many of these operations are now taking place on Google's network of sites, such as YouTube, the Play Store, AdSense, and the rest of its advertising platforms.
In total, TAG said it tracked seven influence operations in Q1 2020, with some also being taking place and being exposed by Twitter and Facebook as well.
Google terminated three YouTube channels as part of a coordinated influence operation linked to Iran.
Google said it linked the campaign to the Iranian state-sponsored International Union of Virtual Media (IUVM) news organization, which was spreading IUVM content covering Iran's strikes into Iraq and US policy on oil. More details about this campaign are also available in a report from Graphika, a company using AI to study today's social media landscape.
Google also said it terminated one advertising account and 82 YouTube channels that were being used as part of a coordinated influence operation linked to Egypt.
TAG experts said the campaign was sharing political content in Arabic that was supportive of Saudi Arabia, the UAE, Egypt, and Bahrain and was critical of Iran and Qatar.
We found evidence of this campaign being tied to the digital marketing firm New Waves based in Cairo.
Facebook also took action against this campaign as well; campaign that was also detailed in another report from Graphika.
However, March has been Google's most active month, with TAG cracking down on five different influence operations.