Connect with us

Hi, what are you looking for?


Malware & Threats

Russia-Linked Cyberspies Target Google Accounts

The notorious cyberespionage group Pawn Storm has targeted a significant number of Google accounts belonging to individuals in Russia, the United States, Europe and former Soviet Union countries.

The notorious cyberespionage group Pawn Storm has targeted a significant number of Google accounts belonging to individuals in Russia, the United States, Europe and former Soviet Union countries.

The advanced persistent threat (APT) actor is also known as APT28, Fancy Bear, TG-4127, Strontium, Sofacy, Sednit and Tsar Team. It is one of the two supposedly Russian threat groups believed to have breached the systems of the U.S. Democratic National Committee (DNC).

Shortly after news broke that Russian hackers had targeted DNC systems, researchers at SecureWorks reported that Pawn Storm had attempted to steal credentials associated with nearly 4,000 Gmail accounts between October 2015 and May 2016. The list of targets included people working for or associated with the DNC and Hillary Clinton’s presidential campaign.

A new report published this week by SecureWorks details an earlier spear phishing campaign that targeted over 1,800 Google accounts. While many of them belonged to people in Russia and former Soviet Union states, some of the targets were current and former government and military personnel in the United States and Europe, and foreign authors and journalists interested in Russia.

“The range of targets demonstrates that the threat group poses a broad threat to individuals and groups associated with U.S. politics, to organizations and individuals in the government and defense verticals, and to those whose business involves commenting on Russia,” SecureWorks researchers noted.

In this campaign, attackers used a domain named “” to trick users into handing over their Google credentials. A link to this phishing website was disguised using the URL shortening service and sent via email to targeted individuals.

An analysis of the targeted accounts revealed that Pawn Storm was mostly after information on Russia’s military involvement in eastern Ukraine. Attackers also attempted to hack into the accounts of journalists, advocacy groups and human rights organizations in Russia, and political, military and diplomatic targets in former Soviet countries.

Outside Russia and the former Soviet Union, attackers targeted military personnel, authors and journalists, NGOs, people involved in government and defense supply chains, government personnel, aerospace researchers, aviation professionals and political activists. A majority of the government and military targets were from the United States and NATO member countries.

Advertisement. Scroll to continue reading.

Researchers discovered nearly 4,400 phishing URLs sent to the owners of more than 1,800 Google accounts between March and September 2015. An analysis of the URLs showed that 59 percent of them were clicked, but it’s unclear how many users actually took the bait.

While many of the accounts received multiple phishing URLs, roughly one-third of them were only targeted once and 60 percent of these recipients clicked the malicious link, which could indicate that they were successfully compromised.

Related: Pawn Storm Cyberspies Target German Ruling Party

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.