Google Offers Fresh Details on China-Linked Hacking GroupAnalysis Shines Light on Group that Targeted Biden's Campaign Offices
A report issued from Google's Threat Analysis Group offers fresh details about the Chinese-linked hacking group that targeted Democratic presidential candidate Joe Biden's campaign with phishing emails earlier this year.
In June, Google released an analysis that found an advanced persistent threat group called APT31 had targeted the Biden campaign offices with phishing emails, although these attacks did not prove successful. That report also found an Iranian-backed group used similar techniques against President Donald Trump's campaign (see: Google: Phishing Attacks Targeted Trump, Biden Campaigns).
In the new report, Google TAG notes that APT31, which is also known as Zirconium, used GitHub to host malware and also utilized Dropbox as the command-and-control infrastructure all to avoid detection and hide from security tools.
"Every malicious piece of this attack was hosted on legitimate services, making it harder for defenders to rely on network signals for detection," Shane Huntley, head of Google's Threat Analysis Group, notes in the report.
New updates from TAG in today's post https://t.co/oUXkAMQ4UF Includes DDOS attacks from China, COVID-19 targeting from North Korea and a large spam network conducting coordinated influence operation. Thanks @t_gidwani @billyleonard & team.— Shane Huntley (@ShaneHuntley) October 16, 2020
As it did when the phishing campaigns against the Biden and Trump campaigns were first detailed in June, Google has shared this information with the FBI. Overall, Google sent over 10,000 warnings about government-backed threats in the third quarter of this year, noting an increase in activity that has targeted political campaigns.
In the final two weeks before the November election, the amount of nation-state activity that targets the campaigns of Biden, Trump and others is likely to increase, making this a crucial time for cybersecurity measures, says Chris Pierson, CEO and founder of security firm BlackCloak.
"Over the past four years, this attention has only picked up with target profiling activities starting early, regardless of party or candidate," Pierson tells Information Security Media Group. "As races enter the final stretch, this attention only increases, the targeted phishing and other attacks increase and the focus on reputational risks becomes more a target of opportunity."
In their new report, the Google TAG researchers note that the phishing emails from APT 31 contained malicious links that, if clicked, would attempt to download malware hosted on GitHub.
The malware was a Python-based implant that, if installed, would allow the hackers to upload and download files as well as execute arbitrary commands, according to the report. The malicious code would also connect to the command-and-control server hosted on Dropbox
In one case, the phishing emails came disguised as updates from security firm McAfee that urged the targeted victim to install updated security software, the report states.
"The targets would be prompted to install a legitimate version of McAfee anti-virus software from GitHub, while malware was simultaneously silently installed to the system," according to the Google report.
Tom Kellermann, the head of cybersecurity strategy at VMware who served as a cybersecurity adviser to former President Barack Obama, notes that the Google report shines a light on the capabilities of groups such as APT31.
"APT 31 has dramatically improved their kill-chain by using Python and leveraging GitHub for distribution," Kellermann tells ISMG.
Other hacking groups linked to China have also sought to use legitimate cloud services as a way to disguise their activities. In September, Microsoft announced that it had removed 18 apps from its Azure cloud computing platform that were being used by a Chinese hacking group called Gadolinium as part of its command-and-control infrastructure to help launch phishing email attacks (see: Microsoft Shutters Azure Apps Used by China-Linked Hackers).
The Google report also notes that the company is tracking increases in distributed denial-of-service attacks over the last several months. The FBI and the U.S. Cybersecurity and Infrastructure Security Agency have also warned about an uptick in DDoS activity that could affect the November election (see: FBI, CISA Warn of DDoS Attacks Targeting November Election).
"While it’s less common to see DDoS attacks rather than phishing or hacking campaigns coming from government-backed threat groups, we’ve seen bigger players increase their capabilities in launching large-scale attacks in recent years," according to the Google TAG report.
Google also disclosed that it fended off a 2.54 TB per second DDoS attack in 2017 that is likely the largest publicly disclosed DDoS attack ever reported. In February, Amazon Web Services reported a 2.3 TB per second DDoS attack (see: European Bank Targeted in Massive Packet-Based DDoS Attack).
"Our infrastructure absorbed a 2.5 Tbps DDoS in September 2017, the culmination of a six-month campaign that utilized multiple methods of attack" Damian Menscher, a security reliability engineer with Google noted in a separate report. "Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact."
The Google report noted that the 2017 DDoS attack appeared to originate with four Chinese internet service providers, and the operation behind the attack appeared well funded.
Ivan Righi, cyber threat intelligence analyst with security firm Digital Shadows, notes that these types of DDoS are likely to increase. "Most recently, threats have also evolved to a higher level with the introduction of DDoS extortion campaigns," Righi tells ISMG. "These campaigns consist of threat actors demanding bitcoin payments from victims and threatening them with impending DDoS attacks. It is realistically possible that we could see these types of threats increase in the future."
Managing Editor Scott Ferguson contributed to this report.