Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Russia-Linked Cyberspies Target Google Accounts

The notorious cyberespionage group Pawn Storm has targeted a significant number of Google accounts belonging to individuals in Russia, the United States, Europe and former Soviet Union countries.

The notorious cyberespionage group Pawn Storm has targeted a significant number of Google accounts belonging to individuals in Russia, the United States, Europe and former Soviet Union countries.

The advanced persistent threat (APT) actor is also known as APT28, Fancy Bear, TG-4127, Strontium, Sofacy, Sednit and Tsar Team. It is one of the two supposedly Russian threat groups believed to have breached the systems of the U.S. Democratic National Committee (DNC).

Shortly after news broke that Russian hackers had targeted DNC systems, researchers at SecureWorks reported that Pawn Storm had attempted to steal credentials associated with nearly 4,000 Gmail accounts between October 2015 and May 2016. The list of targets included people working for or associated with the DNC and Hillary Clinton’s presidential campaign.

A new report published this week by SecureWorks details an earlier spear phishing campaign that targeted over 1,800 Google accounts. While many of them belonged to people in Russia and former Soviet Union states, some of the targets were current and former government and military personnel in the United States and Europe, and foreign authors and journalists interested in Russia.

“The range of targets demonstrates that the threat group poses a broad threat to individuals and groups associated with U.S. politics, to organizations and individuals in the government and defense verticals, and to those whose business involves commenting on Russia,” SecureWorks researchers noted.

In this campaign, attackers used a domain named “” to trick users into handing over their Google credentials. A link to this phishing website was disguised using the URL shortening service and sent via email to targeted individuals.

An analysis of the targeted accounts revealed that Pawn Storm was mostly after information on Russia’s military involvement in eastern Ukraine. Attackers also attempted to hack into the accounts of journalists, advocacy groups and human rights organizations in Russia, and political, military and diplomatic targets in former Soviet countries.

Outside Russia and the former Soviet Union, attackers targeted military personnel, authors and journalists, NGOs, people involved in government and defense supply chains, government personnel, aerospace researchers, aviation professionals and political activists. A majority of the government and military targets were from the United States and NATO member countries.

Researchers discovered nearly 4,400 phishing URLs sent to the owners of more than 1,800 Google accounts between March and September 2015. An analysis of the URLs showed that 59 percent of them were clicked, but it’s unclear how many users actually took the bait.

While many of the accounts received multiple phishing URLs, roughly one-third of them were only targeted once and 60 percent of these recipients clicked the malicious link, which could indicate that they were successfully compromised.

Related: Pawn Storm Cyberspies Target German Ruling Party

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...