Major events such as the US elections and the Coronavirus (COVID-19) present opportunities for threat actors, and Google’s Threat Analysis Group (TAG) is working to thwart these threats and protect the company’s products and the people who use them. As the US election approaches, Google wanted to share an update on What you see and how do the actors in the threat change their tactics.
Google and the US elections:
Announced In June, Google reported phishing attempts at personal email accounts of employees in the Biden and Trump campaigns by Chinese and Iranian APTs respectively. Google has not seen any evidence of success of such attempts.
The Iranian Attacker Group (APT35) and the Chinese Attacker Group (APT31) targeted the personal emails of campaign employees with phishing emails and emails containing tracking links.
One of the APT31 campaigns was based on email links that would eventually lead to malware downloads hosted on (GitHub). The malware was an implant based on the language (PythonDropbox is used for command and control that allows an attacker to upload and download files as well as execute random commands. Every malicious portion of this attack was hosted on legitimate services, making it difficult for defenders to rely on network signals to detect them.
For example: The attackers impersonate (McAfee), as the targets will be required to install a legitimate version of (McAfee) anti-virus program from (GitHub), while at the same time the malware will be silently installed on the system.
When Google detects that a user is the target of a government-backed attack, it sends them a prominent warning, in which cases the search giant also shares its findings with the campaigns and the FBI.
In general, an increased interest in threats posed by APTs has been seen in the context of the US election, as US government agencies have warned about various threat actors, and Google has worked closely with those agencies and others in the tech industry to share leads and intelligence about what it sees across the system. Environmental. This has led to actions being taken on its platform and more. Shortly after the US Treasury Department imposed sanctions on Ukraine Member of Parliament Andrei Dirkash for trying to influence the US election process, Google removed 14 accounts from its platforms that were associated with him.
Coordinated Impact Operations:
The research giant has shared actions against coordinated influence operations in its quarterly TAG (see Updates Q1 And the Q2 And the Q3). So far, however, TAG has not identified any large, coordinated impact campaigns targeting or attempting to influence US voters on Google platforms.
(TAG) has tracked since last summer a large spam network linked to China trying to manage the process of influence, mainly on the YouTube platform, and this network has a presence across multiple platforms, and works mainly by obtaining or hijacking existing accounts and spreading unwanted content in a language. Mandarin, such as animal, music, food, plants, sports and games videos. A small portion of these unwanted channels will post videos of current events, and these videos often feature computer-generated subtitles and sounds.
Researchers at Graphika and FireEye explain in detail how this network behaves – including its shift from posting Mandarin content on issues related to Hong Kong and China’s response to the COVID-19 virus, to including a small subset of content in English and Mandarin about Current events in the United States, such as the protests over racial justice and wildfires in the West Coast and the US response to the Coronavirus (COVID-19).
Google has taken a strict approach to content identification and removal, for example: In the third quarter alone, its Trust and Security teams closed more than 3,000 YouTube channels. As a result, this network has not been able to generate an audience.
Most of the videos that Google selects have less than 10 views, and most of those views seem to come from related spam accounts rather than actual users. So while this network is published frequently, the majority of this content is spam and the search giant did not see that it effectively reaches the actual audience on YouTube, and Google’s findings were shared on this network in my TAG post for the quarter. Second and third quarter.
Corona virus goals:
As the trajectory of the COVID-19 pandemic evolves, threat actors have been seen to evolve their tactics as well. This summer, threat actors from China, Russia and Iran were observed targeting pharmaceutical companies and researchers involved in vaccine development efforts.
And in September, Google began seeing several groups from North Korea shift their targeting towards COVID-19 researchers and pharmaceutical companies, including those in South Korea. One campaign used URL shorteners and impersonated the target’s webmail portal in an attempt to collect email credentials. In a separate campaign, the attackers pretended to be their recruiter to attract targets to download malware.
Dealing with DDoS Attacks Like an Industry:
Different types of attacks are used for different purposes, as phishing campaigns can be used, it is possible to perform personal inducements that are likely to deceive people to induce them to take actions such as clicking on a malicious program link, and DDoS attacks disrupt or block a website or service completely. While it is uncommon to see DDoS attacks rather than phishing or hacking campaigns coming from government-backed threat groups, Google has seen major players increase their capabilities to launch large-scale attacks in recent years. Example: In 2017, the Security Reliability Engineering Team measured a record-breaking amplification (UDP) attack originating from several Chinese Internet Service Providers (ASNs 4134, 4837, 58453, and 9394), which is still The largest attack for bandwidth We know.
Addressing state-sponsored (DDoS) attacks requires a coordinated response from the internet community, and Google engages with others to identify and dismantle the infrastructure used to carry out the attacks.
It is worth noting that Google sent more than 33,000 alerts to its users during the first three quarters of 2020 to warn of state-sponsored phishing attacks targeting their accounts.