Threat Analysis Group

Updates about government-backed hacking and disinformation

On any given day, Google's Threat Analysis Group (TAG) is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. Our team of analysts and security experts is focused on identifying and stopping issues like phishing campaigns, zero-day vulnerabilities and hacking against Google, our products and our users. Today, we’re sharing recent findings on government-backed phishing, threats and disinformation, as well as a new bulletin to share information about actions we take against accounts that we attribute to coordinated influence campaigns. 

Hacking and phishing attempts 

Last month, we sent 1,755 warnings to users whose accounts were targets of government-backed attackers. 

pasted image 0 (1).png

Distribution of the targets of government-backed phishing attempts in April 2020

Generally, 2020 has been dominated by COVID-19. The pandemic has taken center stage in people’s everyday lives, in the international news media, and in the world of government-backed hacking. Recently, we shared information on numerous COVID-themed attacks discovered and confirmed by our teams. We continue to see attacks from groups like Charming Kitten on medical and healthcare professionals, including World Health Organization (WHO) employees. And as others have reported, we’re seeing a resurgence in COVID-related hacking and phishing attempts from numerous commercial and government-backed attackers.

As one example, we've seen new activity from “hack-for-hire” firms, many based in India, that have been creating Gmail accounts spoofing the WHO. The accounts have largely targeted business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the U.S., Slovenia, Canada, India, Bahrain, Cyprus, and the UK. The lures themselves encourage individuals to sign up for direct notifications from the WHO to stay informed of COVID-19 related announcements, and link to attacker-hosted websites that bear a strong resemblance to the official WHO website. The sites typically feature fake login pages that prompt potential victims to give up their Google account credentials, and occasionally encourage individuals to give up other personal information, such as their phone numbers. 

pasted image 0 (2).png

Example of a spoofed WHO Newsletter sign-up prompt

To help protect users against these kinds of tracks, our Advanced Protection Program (APP) utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings. APP was designed specifically for high-risk accounts.  

Coordinated influence operations 

Government-backed or state-sponsored groups have different goals in carrying out their attacks: Some are looking to collect intelligence or steal intellectual property; others are targeting dissidents or activists, or attempting to engage in coordinated influence operations and disinformation campaigns. Our products are designed with robust built-in security features, like Gmail protections against phishing and Safe Browsing in Chrome, but we still dedicate significant resources to developing new tools and technology to help identify, track and stop this kind of activity. In addition to our internal investigations, we work with law enforcement, industry partners, and third parties like specialized security firms to assess and share intelligence. 

When we find attempts to conduct coordinated influence operations on our platforms, we work with our Trust & Safety teams to swiftly remove such content from our platforms and terminate these actors’ accounts. We take steps to prevent possible future attempts by the same actors, and routinely exchange information and share our findings with others in the industry. We’ve also shared occasional updates about this kind of activity, and today we’re introducing a more streamlined way of doing this via a new, quarterly bulletin to share information about actions we take against accounts that we attribute to coordinated influence campaigns (foreign and domestic). Our actions against coordinated influence operations from January, February and March can be found in the Q1 Bulletin

Since March, we’ve removed more than a thousand YouTube channels that we believe to be part of a large campaign and that were behaving in a coordinated manner. These channels were mostly uploading spammy, non-political content, but a small subset posted primarily Chinese-language political content similar to the findings of a recent Graphika report. We’ll also share additional removal actions from April and May in the Q2 Bulletin. 

Our hope is that this new bulletin helps others who are also working to track these groups, such as researchers studying this issue, and we hope these updates can help confirm findings from security firms and others in the industry. We will also continue to share more detailed analysis of vulnerabilities we find, phishing and malware campaigns that we see, and other interesting or noteworthy trends across this space.