Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Russia-Linked Cyberspies Target Google Accounts

The notorious cyberespionage group Pawn Storm has targeted a significant number of Google accounts belonging to individuals in Russia, the United States, Europe and former Soviet Union countries.

The notorious cyberespionage group Pawn Storm has targeted a significant number of Google accounts belonging to individuals in Russia, the United States, Europe and former Soviet Union countries.

The advanced persistent threat (APT) actor is also known as APT28, Fancy Bear, TG-4127, Strontium, Sofacy, Sednit and Tsar Team. It is one of the two supposedly Russian threat groups believed to have breached the systems of the U.S. Democratic National Committee (DNC).

Shortly after news broke that Russian hackers had targeted DNC systems, researchers at SecureWorks reported that Pawn Storm had attempted to steal credentials associated with nearly 4,000 Gmail accounts between October 2015 and May 2016. The list of targets included people working for or associated with the DNC and Hillary Clinton’s presidential campaign.

A new report published this week by SecureWorks details an earlier spear phishing campaign that targeted over 1,800 Google accounts. While many of them belonged to people in Russia and former Soviet Union states, some of the targets were current and former government and military personnel in the United States and Europe, and foreign authors and journalists interested in Russia.

“The range of targets demonstrates that the threat group poses a broad threat to individuals and groups associated with U.S. politics, to organizations and individuals in the government and defense verticals, and to those whose business involves commenting on Russia,” SecureWorks researchers noted.

In this campaign, attackers used a domain named “accoounts-google.com” to trick users into handing over their Google credentials. A link to this phishing website was disguised using the Bit.ly URL shortening service and sent via email to targeted individuals.

An analysis of the targeted accounts revealed that Pawn Storm was mostly after information on Russia’s military involvement in eastern Ukraine. Attackers also attempted to hack into the accounts of journalists, advocacy groups and human rights organizations in Russia, and political, military and diplomatic targets in former Soviet countries.

Outside Russia and the former Soviet Union, attackers targeted military personnel, authors and journalists, NGOs, people involved in government and defense supply chains, government personnel, aerospace researchers, aviation professionals and political activists. A majority of the government and military targets were from the United States and NATO member countries.

Advertisement. Scroll to continue reading.

Researchers discovered nearly 4,400 phishing URLs sent to the owners of more than 1,800 Google accounts between March and September 2015. An analysis of the URLs showed that 59 percent of them were clicked, but it’s unclear how many users actually took the bait.

While many of the accounts received multiple phishing URLs, roughly one-third of them were only targeted once and 60 percent of these recipients clicked the malicious link, which could indicate that they were successfully compromised.

Related: Pawn Storm Cyberspies Target German Ruling Party

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.