San Francisco, NFAPost: Google’s Threat Analysis Group (TAG) stated it is really monitoring a lot more than 270 authorities-backed threat actors from a lot more than 50 nations, adding it has roughly sent 50,000 alerts of state-sponsored phishing or malware tries to customers so far this year.
Google’s Threat Analysis Group (TAG), which tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse, is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries.
In a blog post, Google TAG analyst Ajax Bash said the company company has a long-standing policy to send you a warning if we detect that your account is a target of government-backed phishing or malware attempts.
“So far in 2021, we’ve sent over 50,000 warnings, a nearly 33% increase from this time in 2020. This spike is largely due to blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear,” said Google TAG analyst Ajax Bash.
The company made it very clear that Google intentionally sends these warnings in batches to all users who may be at risk, rather than at the moment detect the threat itself, so that attackers cannot track our defense strategies.
“On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings,” said Google TAG analyst Ajax Bash.
The figure includes both cyber-surveillance operations, but also disinformation campaigns, Google said in the report. When attacks performed by these groups include phishing emails, Google said it also sends email alerts to the targeted Gmail users.
The most notable campaigns Google disrupted this year from a different government-backed attacker: APT35, an Iranian group, which regularly conducts phishing campaigns targeting high risk users.
“This is the one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers. For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government,” states Google TAG analyst Ajax Bash.
In the beginning of this year, Google said APT35 used this technique to hijack a website affiliated with a UK university. The hackers then wrote emails to users on Gmail, Hotmail, and Yahoo with an invitation link to a fake webinar and even sent second-factor identification codes to targets’ devices.
“Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices,” said Google TAG analyst Ajax Bash Ajax Bash, referring to a campaign documented earlier this year.
APT35 has relied on this technique since 2017 — targeting high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security. Credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – as they know it’s difficult for users to detect this kind of attack.
To save users from these attacks, Google made it clear that workspace administrators are also notified regarding targeted accounts in their domain. “Users are encouraged to take these warnings seriously and consider enrolling in the Advanced Protection Program or enabling two-factor authentication if they haven’t already,” states Google.
Google also blocks malicious domains using Google Safe Browsing – a service that Google’s security team built to identify unsafe websites across the web and notify users and website owners of potential harm.
When a user of a Safe Browsing-enabled browser or app attempts to access unsafe content on the web, they’ll see a warning page explaining that the content they’re trying to access may be harmful. When a site identified by Safe Browsing as harmful appears in Google Search results, we show a warning next to it in the results.
Global tech giant also made it clear that Threat Analysis Group will continue to identify bad actors and share relevant information with others in the industry, with the goal of bringing awareness to these issues, protecting you and fighting bad actors to prevent future attacks.