Google sent over 50,000 warnings of state-sponsored attacks, +33% from same period in 2020

Google revealed to have sent roughly 50,000 alerts of state-sponsored phishing or hacking attempts to customers since January.

Google announced to have sent roughly 50,000 alerts of state-sponsored phishing or hacking attempts to customers during 2021. The data were provided by Google’s Threat Analysis Group (TAG), which tracks government-backed hacking campaign, which warns of a significant increase in the number of the alert compared to the previous year.

“So far in 2021, we’ve sent over 50,000 warnings, a nearly 33% increase from this time in 2020. This spike is largely due to blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear.” wrote Ajax Bash, a Google security engineer from the TAG.

The Google TAG sends warnings in batches to all users who may be exposed to attacks from nation-state actors, the group avoids providing real-time alerts that could allow threat actors to determine the defense strategy implemented by the IT giant.

Most significant campaigns targeting Google users were orchestrated by Russia-linked APT28 group (aka Fancy Bear) and the Iran-linked APT35 (aka Charming Kitten) group.

The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

This specific campaign accounted for 86% of the batch of warnings that the Google team sent out for this month.

Google said to have blocked almost any spear-phishing messages sent by the APT38 group to Gmail customers.

Google researchers also warned of an intense activity associated with the APT35 group this year, the nation-state group was behind malware based attacks, account hijacking, and cyberespionage campaigns aimed at gathering intelligence for the Teheran government. In early 2021, the APT35 group compromised site affiliated with a UK university to deploy a phishing kit use to target Gmail, Hotmail, and Yahoo users.

Threat actors also used malicious apps disguised as legitimate VPN software available on the Google Play Store and third-party platforms to deliver malware between May 2020 and July 2021.

The Iran-linked APT35 group also used conference-themed phishing emails to target Gmail users, they used the Munich Security and the Think-20 (T20) Italy conferences as lures. The group also started using Telegram for operator notifications. The nation state actors embed Javascript into phishing pages that notify them when the page has been loaded.

Google shared indicators associated with the hacking activities conducted by the two state-sponsored hacker groups.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

[adrotate banner=”5″]

[adrotate banner=”13″]