Government-backed hackers intent on spreading malware and disinformation online are masquerading increasingly as members of the press, according to new claims by Google’s threat analysis group. The team, known as TAG, tracks state-sponsored hackers and works to uncover zero-days that could undermine its users’ security worldwide. Its latest report focuses largely on state-sponsored phishing campaigns.
TAG security engineer Toni Gidwani wrote on Thursday that her team had issued nearly 40,000 warnings to users worldwide in 2019; a 25 percent drop from the previous year. She attributed the slide, in part, to Google’s own advancements in security, which she claimed are now forcing foreign hackers to be “more deliberate in their attempts.”
Among the trends recognized by TAG in recent months, state-sponsored hackers are increasingly portraying themselves as journalists online, Gidwani wrote, fingering Iran and North Korea as top offenders. The goal in some cases is to spread disinformation. But masquerading as journalists or even news outlets also allows hackers to “seed false stories” among legitimate news sources.
In other cases, according to Gidwani, foreign hacker have apparently attempted to “build a rapport with a journalist or foreign policy expert” with the goal of convincing them to open a nasty email attachment. State-sponsored hackers “regularly target foreign policy experts for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks,” Gidwani said.
What’s more, TAG offered an update in its efforts to track Sandworm, a supposedly Russia-nexus threat group that Google first caught spreading Android malware in South Korea in 2017. TAG’s work aided the company in detecting the malware on Google Play where Sandworm had uploaded several of its own apps. Sandworm is also known for targeting industrial control systems, particularly in Ukraine. An attack on Ukraine’s energy grid in 2016, for example, left one-fifth of Kiev’s residents temporarily without power.
Sandworm is credited with the 2018 Olympics cyberattack known as “Olympic Destroyer,” described in great detail by long-time Wired reporter Andy Greenberg in his 2019 book Sandworm.
TAG’s update on the group’s activities includes a graph mapping out its most heavily targeted sectors over time.
Another unidentified group of hackers made use of five zero-day vulnerabilities to target North Koreans last year, according to TAG. The attacks were carried out by exploiting flaws in Internet Explorer, Chrome, and Windows.
“TAG actively hunts for these types of attacks because they are particularly dangerous and have a high rate of success, although they account for a small number of the overall total,” Gidwani wrote. (TAG’s blog includes a breakdown of the specific vulnerabilities used in the attacks on North Koreans, only a few thousand of which are believed to have any kind of online access.)
According to Gidwani, TAG plans to release a future update describing cyberattacks linked to the coronavirus outbreak, which has killed nearly 27,000 people worldwide, according to the Center for Systems Science and Engineering at Johns Hopkins University.