Hacker Threat: Google Confirms 40,000 Nation-State Cyber Attack Warnings Issued

Google’s Threat Analysis Group (TAG) is tasked with protecting the company, and those who use its services, against nation-state hacking attacks. One way it does this is by warning Google account holders if TAG has detected targeted activity from such threat actors. Across 2019, Google issued 40,000 of these warnings according to a new report from TAG security engineering manager, Toni Gidwani. And that, dear reader, is actually better news than you might think. The figures for 2018 were 25% higher, and Gidwani puts the drop down to Google protections disrupting the hacking activity. “Attackers’ efforts have been slowed down, and they’re more deliberate in their attempts,” Gidwani said, “meaning attempts are happening less frequently as attackers adapt.”

The evolution of nation-state hacking methods

While TAG might not be able to stop opportunistic hackers from tricking thousands into downloading dangerous fake Chrome updates, it can and does protect Google account holders from evolving nation-state hacker targeting. The methods by which these state-sponsored and advanced threat actors adapt are as interesting as they are worrying to note.

A TAG analysis of the phishing attempts used to initiate a targeted attack shows that especially as far as Iran and North Korea are concerned, impersonating journalists is becoming the order of the day. This comes with a double-whammy payload for nation-state attackers, whose motivation is often very different from your run of the mill cyber-criminal hacker.

Firstly, by setting up accounts purporting to belong to a reporter, the attackers can spread disinformation by seeding fake stories that get picked up by news outlets. The second part of the payload whammy involves using a phony journalist account to build email and social media relationships with both other journalists and “expert commentators” who are often well-connected in government policy terms. Most nation-state hackers are in this for the long haul and will happily spend extended periods doing the essential donkey work before launching their actual attack. After some time, once that trust has been established, the threat actors can launch the attack by, commonly, dropping a malicious attachment that will likely be opened as a result.

Foreign policy experts at greater risk

Gidwani warns that foreign policy experts are regularly in the crosshairs as their research can be valuable, as can their connections to other potential targets of future campaigns. Unsurprisingly, the TAG analysis also reveals that these threat actors were particularly persistent. I say this comes as no surprise as the Advanced Persistent Threat (APT) classification is most often applied to nation-state groups. Google reports that 20% of the accounts that were warned of such attack targeting received multiple such warnings.

Google Advanced Protection Program

A pleasant surprise, however, comes in the revelation that none of those who have signed up to Google’s Advanced Protection Program (APP) are known to have been successfully attacked. This being the case even if they have been targeted multiple times. As someone who has enrolled in this program myself, it’s good to know that the additional account protections this provides to those at the highest risk of attack are working. Other protections that include mandatory two-factor verification using a physical security key, or the key built-into a smartphone running Android 7+ or iOS 10+, and only allowing Google and a handful of third-party apps access to emails and Google Drive files. Even SIM-swapping, a favored account takeover attack methodology, is covered by the APP as there are extra steps involved in the account recovery process to verify identity.

Tracking down the zero-day vulnerability threat

And then are the zero-day vulnerabilities which TAG attempts to track down as they are so treasured by state-sponsored hackers. “When we find an attack that takes advantage of a zero-day vulnerability,” Gidwani said, “We report the vulnerability to the vendor and give them seven days to patch or produce an advisory, or we release an advisory ourselves.” In 2019, TAG identified zero-days impacting Android, Chrome, iOS, Internet Explorer and Windows. The most recent being Internet Explorer, which I reported on back in January after the U.S. Government issued a warning about the risk to users. Apparently, one single threat actor was found to be hoarding zero-days by TAG, five in all. Given the scarcity and value of a single zero-day, this is quite remarkable in and of itself. The U.S. and Israeli state-sponsored attack on the Iranian Natanz nuclear plant in 2010, deploying the now-infamous Stuxnet worm, employed four zero-days and that was an unprecedented number at the time. It remains pretty special a decade on, truth be told, so whoever was using five in attacks against North Korean, or individuals connected with North Korea, targets must have been very motivated indeed.

TAG is coming for the COVID-19 scammers next

The TAG report concludes with a warning for nation-state hackers: “Our Threat Analyst Group will continue to identify bad actors and share relevant information with others in the industry. Our goal is to bring awareness to these issues to protect you and fight bad actors to prevent future attacks.” And what is TAG working on next? Details of those attackers using COVID-19 lures during this global health emergency.