The same Chinese government-linked hackers who targeted the campaigns of both 2020 presidential candidates earlier this year have been trying to trick users into installing malware by posing as the antivirus provider McAfee and using otherwise legitimate online services like GitHub and Dropbox.
Shane Huntley, the head of Google’s Threat Analysis Group, offered new details about the suspected state-sponsored cyberattackers, known as APT 31, and their latest tactics in a company blog post on Friday. In June, Google’s security team uncovered high-profile phishing scams by APT 31 and Iranian state-sponsored hackers intended to hijack the email accounts of campaign staffers with President Donald Trump and Democratic nominee Joe Biden. (All of these phishing attempts appeared to have failed, Google said at the time).
On Friday, Huntley said that one of APT 31's latest hacking techniques involved emailing links that would download malicious code hosted on the open-source platform GitHub. The malware was built using the Python computing language and “would allow the attacker to upload and download files as well as execute arbitrary commands” through Dropbox’s cloud storage services, he wrote.
“Every malicious piece of this attack was hosted on legitimate services, making it harder for defenders to rely on network signals for detection,” Huntley said.
Another phishing scam saw the group impersonating McAfee, a legitimate and popular antivirus software provider, as a facade to quietly slip malicious code onto the target’s machine.
“The targets would be prompted to install a legitimate version of McAfee anti-virus software from GitHub, while malware was simultaneously silently installed to the system.”
Google did not specify which organizations or individuals were targeted in these latest APT 31-sponsored attacks or whether they affected either candidate’s political campaign. The tech giant only said that it had seen “increased attention on the threats posed by APTs in the context of the U.S. election” and shared these latest findings with the Federal Bureau of Investigation.
“U.S government agencies have warned about different threat actors, and we’ve worked closely with those agencies and others in the tech industry to share leads and intelligence about what we’re seeing across the ecosystem,” Huntley said.
He added that in the event that Google’s anti-phishing safeguards detect a government-backed attack, the company sends the intended victim a warning explaining that a foreign government may be targeting them.
Google isn’t the only tech giant seeing an increase in cyberattacks ahead of the election. In September, Microsoft reported that Chinese, Russian, and Iranian government-backed hackers had launched similarly unsuccessful attacks on high-profile individuals associated with both the Trump and Biden campaigns. Last week, the FBI and U.S. Cybersecurity and Infrastructure Security Agency also released details about campaigns by foreign government-linked hackers to exploit federal, state, and local government networks.