Google Says State-Sponsored Hackers Target Journalists by Posing as One of Them

By Dell Cameron on at

Government-backed hackers are impersonating journalists in attempts to spread malicious email attachments and disinformation amongst newsreaders, according to Google’s own elite team of hackers.

Oft-described as Google’s internal “counterespionage” agency, the Threat Analysis Group (TAG) tracks cybercriminals and spies operating on behalf of governments while working to unearth critical vulnerabilities outside Google. The group’s latest report focuses largely on state-sponsored phishing campaigns, an overwhelming majority of which target user credentials.

TAG security engineer Toni Gidwani wrote on Thursday that her team had issued nearly 40,000 warnings to users worldwide in 2019, a 25 per cent drop from the previous year. Gidwani attributes that slide, in part, to Google’s own security enhancements, which are forcing hackers to be “more deliberate in their attempts”, she said.

Amongst the trends recognised by TAG in recent months, state-sponsored hackers are increasingly portraying themselves as journalists online, according to Gidwani, who named Iran and North Korea as top offenders. The goal in some cases is to spread propaganda. Masquerading as journalists and news outlets, the hackers attempt to “seed false stories” among legitimate news sources.

In other cases, Gidwani writes, the hackers attempt to “build a rapport with a journalist or foreign policy expert” with the goal of convincing them to open malicious email attachments. “Government-backed attackers regularly target foreign policy experts for their research, access to the organisations they work with, and connection to fellow researchers or policymakers for subsequent attacks,” she said.

TAG also provided an update on its efforts to track Sandworm, a Russia-nexus threat group that Google first caught spreading Android malware in South Korea in 2017. TAG’s work aided the company in detecting the malware on Google Play where Sandworm had uploaded several of its own apps. Sandworm is also known for targeting industrial control systems, particularly in Ukraine. An attack on Ukraine’s energy grid in 2016, for example, left one-fifth of Kiev’s residents temporarily without power.

Sandworm, also known as Iridium or Hades, was also behind the 2018 cyberattack on the Olympics – known as “Olympic Destroyer” – which has been linked to the GRU, Russia’s military intelligence agency. (The attack is described in great detail in a 2019 book also called Sandworm written by long-time Wired reporter Andy Greenberg.)

TAG’s update on the group’s activities includes a graph mapping out its most heavily targeted sectors over time.

Graphic: Google Threat Analysis Group

Another unidentified group of hackers made use of five zero-day vulnerabilities to target North Koreans last year, according to TAG. The attacks were carried out by exploiting flaws in Internet Explorer, Chrome and Windows.

“TAG actively hunts for these types of attacks because they are particularly dangerous and have a high rate of success, although they account for a small number of the overall total,” Gidwani wrote. (TAG’s blog includes a breakdown of the specific vulnerabilities used in the attacks on North Koreans, only a few thousand of which are believed to have any kind of online access.)

According to Gidwani, TAG plans to release a future update describing cyberattacks linked to the coronavirus outbreak, which has killed nearly 27,000 people worldwide, according to the Centre for Systems Science and Engineering at Johns Hopkins University.

Featured photo: Getty