Google says it has seen a drop in the number of warnings sent for potential government-backed phishing or malware attempts last year, mainly due to improved protection systems.
For several years, the company has been alerting users when identifying accounts that appear to be targeted by state-sponsored attackers, and in 2019 it sent nearly 40,000 such warnings. The number, however, represents a 25% decline compared to 2018.
“One reason for this decline is that our new protections are working—attackers’ efforts have been slowed down and they’re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt,” Google says.
The countries targeted the most in 2019 include the United States, South Korea, India, Pakistan, and Vietnam, each with more than 1,000 targeted users.
In recent months, the Internet giant observed an increase in the number of attackers who impersonate news outlets or journalists, and says that even adversaries from Iran and North Korea are adopting this tactic.
The threat actors would impersonate a journalist to seed false stories with other reporters and spread disinformation, or would send benign emails to build trust with a journalist or foreign policy expert, and then send a malicious attachment, Google notes.
Foreign policy experts are often targeted by state-sponsored threat actors for their research, for access to organizations, or to connect with researchers or policymakers for subsequent attacks. Government-backed attackers mainly focus on geopolitical rivals, government officials, journalists, dissidents and activists.
According to Google, targeted accounts are usually hit multiple times, and this has happened to one in five accounts that received warnings in 2019. The attackers launch multiple attempts using different lures and accounts, or try to compromise an associate of their target if the initial attempt fails.
Some of the attacks leverage zero-day vulnerabilities, which increases their chances of success. Although they make up a small number of the overall state-sponsored phishing attempts, these attacks are considered particularly dangerous.
Targeted zero-day vulnerabilities are immediately reported to vendors, with a 7-day grace period to deliver a patch or produce an advisory, after which the Internet giant makes information on the vulnerability public.
In 2019, zero-day vulnerabilities were discovered in Android, Chrome, iOS, Internet Explorer and Windows, and Google identified a single threat actor capitalizing on five such security flaws.
“Finding this many zero-day exploits from the same actor in a relatively short time frame is rare. […] The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues,” Google says.
Vulnerabilities that Google’s security researchers discovered last year include ones affecting Internet Explorer – CVE-2019-0676, CVE-2019-1367, and CVE-2019-1429; Chrome – CVE-2019-5786; and the Windows kernel – CVE-2019-0808.