Last year Google’s Threat Analysis Group (TAG) sent out almost 40,000 warnings to users whose accounts were targeted by government-backed phishing or malware attempts.
TAG works to counter targeted and government-backed hacking against the search giant and its users. While 40,000 warnings may seem like a lot, this figure actually represents almost a 25 percent drop in the number of warnings Google sent out in 2018.
The company credits its Advanced Protection Program (APP) as well as the fact that attackers’ efforts have slowed and they’re more deliberate in their hacking attempts as reasons behind the decline in warnings sent out last year.
After reviewing the phishing attempts that occurred since the beginning of this year, Google revealed that it has seen a rising number of attackers, including those from Iran and North Korea, impersonating news outlets or journalists. Often times an attacker will impersonate a journalist to seed false stories with other reporters in an effort to spread disinformation while in other cases attackers send several emails to build rapport with a journalist before sending a malicious attachment in a follow up email.
Tracking zero-day vulnerabilities
Zero day vulnerabilities are unknown software flaws that can be exploited by attackers until they’re identified and fixed. TAG actively hunts for these types of attacks because they are particularly dangerous and have a high rate of success.
In 2019 alone, TAG discovered zero-day vulnerabilities in a number of platforms and software including Android, Chrome, iOS, Internet Explorer and Windows. Recently the group was acknowledged for identifying a remote code execution vulnerability in Internet Explorer tracked as CVE-2020-0674.
Last year, TAG discovered that a single threat actor was leveraging five different zero-day vulnerabilities which is quite rare to do in a relatively short time frame. The exploits were delivered using compromised legitimate websites, links to malicious websites and email attachments sent in spear phishing campaigns. The majority of targets in these attacks were either from North Korea or individuals who worked on North Korea-related issues.
Security engineering manager of Google’s TAG, Toni Gidwani explained in a blog post that the group will continue tracking bad actors and sharing the information it uncovers, saying:
“Our Threat Analyst Group will continue to identify bad actors and share relevant information with others in the industry. Our goal is to bring awareness to these issues to protect you and fight bad actors to prevent future attacks. In a future update, we’ll provide details on attackers using lures related to COVID-19 and expected behavior we’re observing (all within the normal range of attacker activity)”