Google Says Russian APT Targeting Journalists, PoliticiansCompany Outlines Added Security for High-Profile Users, Announces 2FA Enrollment
Some 14,000 Google users were warned of being suspected targets of Russian government-backed threat actors on Thursday. The next day, the tech giant announced cybersecurity updates - particularly for email accounts of high-profile users, including politicians and journalists.
APT28, aka Fancy Bear, a threat group linked to Russia, has reportedly escalated its attempts to target high-profile individuals. This particular campaign, first identified in September, spurred a Government-Backed Attack notification to Google users this week, with confirmation from Shane Huntley, who heads Google's Threat Analysis Group, or TAG, which responds to related state-sponsored hacking.
Huntley confirmed that the Fancy Bear phishing activity was blocked by Gmail and classified as spam. Google has recommended that targeted users enroll in its Advanced Protection Program for all accounts.
Erich Kron, a former security manager for the U.S. Army’s 2nd Regional Cyber Center, tells ISMG: "Nation-state-backed APTs are nothing new and will continue to be a significant menace … as cyberwarfare is simply a part of modern geopolitics."
'Widely Targeted Campaigns'
In his Twitter thread on Thursday, Huntley wrote, "TAG sent an above average batch of government-backed security warnings. … Firstly these warnings indicate targeting NOT compromise. … The increased numbers this month come from a small number of widely targeted campaigns which were blocked."
Huntley wrote, "The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions. … If you are an activist/journalist/government official or work in NatSec, this warning honestly shouldn't be a surprise. At some point some govt. backed entity probably will try to send you something."
Calling high-profile email accounts a "gold mine," Alec Alvarado, a former intelligence officer for the U.S. Army Reserve, says, "APT28, and pretty much the entire threat landscape, continues to target email because it remains a point of weakness."
About 'Fancy Bear'
According to MITRE ATT&CK, APT28 has operated since at least 2004 on behalf of Russia's General Staff Main Intelligence Directorate 85th Main Special Service Center military unit 26165.
The group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in order to interfere with the U.S. presidential election, the profile indicates. Five GRU Unit 26165 officers were indicted by the U.S. in 2018 for alleged cyber operations conducted between 2014 and 2018 against several organizations, including a U.S. nuclear facility.
Kron, currently a security awareness advocate for the firm KnowBe4, says of the activity, "In this world of high-tech exploits that allow these APTs to move around networks silently and to elevate system permissions to the highest levels, the most common method of initial infiltration remains the simple, but effective, phishing email."
Google's Security Keys
Following the news of Fancy Bear's reported targeting of high-profile individuals, Google said in a blog post Friday that cybersecurity features in its APP program will protect against certain attacks, and that it was partnering with organizations to distribute 10,000 free security keys to higher-profile individuals. The keys are two-factor authentication devices tapped by users during instances of suspicious logins.
Grace Hoyt, Google's partnerships manager, and Nafis Zebarjadi, its product manager for account security, write that Google's APP program is updated to respond to emerging threats - and available to all users, but recommended for elected officials, political campaigns, activists and journalists. APP guards against phishing, malware, malicious downloads and unauthorized access.
Alvarado, currently the threat intelligence team lead at the security firm Digital Shadows, says, "Although Google's actions are certainly a step in the right direction … the old saying, 'Where there is a will, there is a way,' still applies. … These [security] keys will undoubtedly make an attacker's job more difficult, but there are plenty of other options and vulnerabilities for [threat actors] to achieve their goals."
KnowBe4's Kron also warns, "These security keys, while useful in their own limited scope, do not stop phishing emails from being successful. They only help when an attacker already has access to, or a way to bypass, the username and password for the email account being targeted."
On its efforts to distribute 10,000 security keys, Google says it has aligned with the International Foundation for Electoral Systems, an organization that promotes democracy; the UN Women Generation Equality Action Coalition for Technology and Innovation; and the nonprofit, nonpartisan organization Defending Digital Campaigns.
As part of its partnership with the IFES, Google says it has shared free security keys with journalists in the Middle East and female activists across Asia.
Through UN Women, Google says it is offering security workshops for UN chapters and organizations supporting women in journalism, politics and activism, and those in the C-Suite.
The tech giant's partnership with Defending Digital Campaigns, it says, has provided 180 security keys to federal campaigns since 2020. The work has now extended to state races and political parties, Google says.
Auto-Enrollment in 2FA
AbdelKarim Mardini, Google's group product manager for Chrome, and Guemmy Kim, its director of account security and safety, wrote in a blog post Tuesday that by the end of 2021, Google also plans to auto-enroll some 150 million additional users in two-factor authentication - and require 2 million YouTubers to do the same.
"We know that having a second form of authentication dramatically decreases an attacker's chance of gaining access to an account," Mardini and Kim write. "Two-step verification [is] one of the most reliable ways to prevent unauthorized access."
In May, Google said it would soon begin automatically enrolling users in 2-Step Verification if their accounts were appropriately configured.
Google said this week it is auto-enrolling Google accounts with the "proper backup mechanisms in place" to transition to 2SV. It also said 2 billion devices worldwide now automatically support its verification technology.