Google’s Threat Analysis Group (TAG) said that APT31 was behind the campaign. The targeted users were informed about the campaign after they were auto-blocked and marked as spam by Gmail’s defenses. This revelation comes shortly after Google released information on phishing and DDoS attacks against Ukrainian government and military organizations. However, it is not clear if the campaign against U.S. Government personnel is related to the Ukraine invasion.
Google Catches the Phishing Attempt
Google’s TAG issues periodic warnings to the public about ongoing cybercrime campaigns, especially those that affect Google services. According to TAG director, Shane Huntley, the group discovered the campaign in February. They sent the targeted users specialized warnings that signaled a government-backed attack on Tuesday, March 8. According to Google, these attacks usually target fewer than 0.1% of its users. Huntley added that TAG sends such warnings in batches, instead of sending one immediately. Doing so allows Google to protect its defensive strategies from being tracked.
Recent Warnings to Ukrainian and European Organizations
Earlier this week, Google warned military and government organizations in Ukraine about an uptick in cyberattacks against U.S. networks and systems. Google TAG has issued several warnings to Ukrainian users over the last 12 months, stating that a large part of the attacks originate in Russia. “Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to phishing campaigns,” Huntley said in a Google blog post. However, Huntley has clarified that Google TAG does not have any evidence suggesting the campaign against U.S. Government officials has ties to the activity in Ukraine.
Receive a Warning from Google? Here’s What To Do
Most phishing campaigns are designed to target a wide group of people or entire organizations. Here, the attacker tries to impersonate someone who the user may know, in order to trick them into disclosing sensitive information or clicking on malicious links. When state-backed hackers are involved, these attacks raise a higher degree of alarm. The attackers may be trying to gain access to sensitive government network infrastructure, or to snoop on confidential communications. You can read our guide on phishing to learn more about these attacks and how to protect yourself. Huntley has urged users who have received a warning to enroll in Google’s Advanced Protection Program for work and personal emails. It offers the highest level of protection that Google offers. He also recommends that other high-risk individuals, like journalists, celebrities, CEOs, or politicians, enroll in the program.
