Google: We're sending out lots more phishing and malware attack warnings - here's why

Google's state-sponsored hacker alerts are outpacing last year's warnings by a big margin. Turn on multi-factor authentication, it warns.
Written by Liam Tung, Contributing Writer

Google's policy to send alerts to people with Google Accounts that are targeted by suspected state-sponsored hackers is getting a full work out in 2021. The company says it has already sent over 50,000 such warnings to users, marking a 33% increase from the same period in 2020. 

"So far in 2021, we've sent over 50,000 warnings, a nearly 33% increase from this time in 2020. This spike is largely due to blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear," Google security engineer and Threat Analysis Group (TAG) team member Ajax Bash notes in a blogpost

Shane Huntley from TAG tweeted on October 7 that the group had sent an "above average batch of government-backed security warnings yesterday". TAG sends warnings over phishing attempts and malware attacks. 

SEE: This new ransomware encrypts your data and makes some nasty threats, too

Google's suggestion that Kremlin-backed hackers are a major problem chimes with Microsoft's data that 58% of nation-state cyberattacks came from Russia over the past year

The US National Security Agency warned in July that APT28 had run a massive password-guessing campaign targeting US and European organizations for the past two years. 

APT28 was one of several nation-state groups using password attacks and exploiting Microsoft Exchange email server vulnerabilities tracked as CVE-2020-0688 and CVE-2020-17144. 

Google says it sends the warnings in batches to all users who may be at risk so as not to alert attackers to its defense strategies. 

"On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings," says Bash. 

Another nation-state hacker group that TAG is tracking closely is APT35, an Iranian group known for phishing attempts against high-value targets in government and defense. 

The group, also known as Charming Kitten or Phosphorus, has targeted victims in the Persian Gulf, Europe, and the US. APT35 has been actively targeting the US defense industry for years and Google disrupted the group's efforts to phish campaign staffers of Joe Biden and Donald Trump in the lead up to the 2020 US presidential election.   

Microsoft this week warned that 250 Office 365 customers in the US and Israeli defense technology sector were targeted with password-spraying attacks by a separate emerging Iranian threat it tracks as DEV-0343

"In early 2021, APT35 compromised a website affiliated with a UK university to host a phishing kit," notes Google's Bash. 

"Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices."

APT35 has been using the same methods since 2017 to target accounts in government, academia, journalism, NGOs, foreign policy, and national security. 

The group uploaded a bogus VPN app to Google's Play Store last May that could have been used to collect data from Android phones. However, Google says it removed the app before any users could install it. 

SEE: This is how Formula 1 teams fight off cyberattacks

Online video meetings have become essential in the pandemic and APT35 has adapted its phishing techniques to suit this, according to Google. 

"Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence," Bash noted. 

Those links often included link shorteners and click trackers, frequently embedded in PDF documents. The attacks abused Google Drive, Google Sites pages, Dropbox, Microsoft services, and messaging app Telegram.   

Like Microsoft, Google recommends Workspace admins and general users enable two-factor authentication or sign up to its Advanced Protection Program, which requires two-factor authentication. 

"Workspace administrators are also notified regarding targeted accounts in their domain. Users are encouraged to take these warnings seriously and consider enrolling in the Advanced Protection Program or enabling two-factor authentication if they haven't already," notes Bash.

Editorial standards