Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Russia-Linked Cyberspies Target Google Accounts

The notorious cyberespionage group Pawn Storm has targeted a significant number of Google accounts belonging to individuals in Russia, the United States, Europe and former Soviet Union countries.

The notorious cyberespionage group Pawn Storm has targeted a significant number of Google accounts belonging to individuals in Russia, the United States, Europe and former Soviet Union countries.

The advanced persistent threat (APT) actor is also known as APT28, Fancy Bear, TG-4127, Strontium, Sofacy, Sednit and Tsar Team. It is one of the two supposedly Russian threat groups believed to have breached the systems of the U.S. Democratic National Committee (DNC).

Shortly after news broke that Russian hackers had targeted DNC systems, researchers at SecureWorks reported that Pawn Storm had attempted to steal credentials associated with nearly 4,000 Gmail accounts between October 2015 and May 2016. The list of targets included people working for or associated with the DNC and Hillary Clinton’s presidential campaign.

A new report published this week by SecureWorks details an earlier spear phishing campaign that targeted over 1,800 Google accounts. While many of them belonged to people in Russia and former Soviet Union states, some of the targets were current and former government and military personnel in the United States and Europe, and foreign authors and journalists interested in Russia.

“The range of targets demonstrates that the threat group poses a broad threat to individuals and groups associated with U.S. politics, to organizations and individuals in the government and defense verticals, and to those whose business involves commenting on Russia,” SecureWorks researchers noted.

In this campaign, attackers used a domain named “accoounts-google.com” to trick users into handing over their Google credentials. A link to this phishing website was disguised using the Bit.ly URL shortening service and sent via email to targeted individuals.

An analysis of the targeted accounts revealed that Pawn Storm was mostly after information on Russia’s military involvement in eastern Ukraine. Attackers also attempted to hack into the accounts of journalists, advocacy groups and human rights organizations in Russia, and political, military and diplomatic targets in former Soviet countries.

Outside Russia and the former Soviet Union, attackers targeted military personnel, authors and journalists, NGOs, people involved in government and defense supply chains, government personnel, aerospace researchers, aviation professionals and political activists. A majority of the government and military targets were from the United States and NATO member countries.

Researchers discovered nearly 4,400 phishing URLs sent to the owners of more than 1,800 Google accounts between March and September 2015. An analysis of the URLs showed that 59 percent of them were clicked, but it’s unclear how many users actually took the bait.

While many of the accounts received multiple phishing URLs, roughly one-third of them were only targeted once and 60 percent of these recipients clicked the malicious link, which could indicate that they were successfully compromised.

Related: Pawn Storm Cyberspies Target German Ruling Party

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.