Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , DDoS Protection

Google Offers Fresh Details on China-Linked Hacking Group

Analysis Shines Light on Group that Targeted Biden's Campaign Offices
Google Offers Fresh Details on China-Linked Hacking Group

A report issued from Google's Threat Analysis Group offers fresh details about the Chinese-linked hacking group that targeted Democratic presidential candidate Joe Biden's campaign with phishing emails earlier this year.

See Also: Global State of Identities: Optimizing Identity Proofing

In June, Google released an analysis that found an advanced persistent threat group called APT31 had targeted the Biden campaign offices with phishing emails, although these attacks did not prove successful. That report also found an Iranian-backed group used similar techniques against President Donald Trump's campaign (see: Google: Phishing Attacks Targeted Trump, Biden Campaigns).

In the new report, Google TAG notes that APT31, which is also known as Zirconium, used GitHub to host malware and also utilized Dropbox as the command-and-control infrastructure all to avoid detection and hide from security tools.

"Every malicious piece of this attack was hosted on legitimate services, making it harder for defenders to rely on network signals for detection," Shane Huntley, head of Google's Threat Analysis Group, notes in the report.

As it did when the phishing campaigns against the Biden and Trump campaigns were first detailed in June, Google has shared this information with the FBI. Overall, Google sent over 10,000 warnings about government-backed threats in the third quarter of this year, noting an increase in activity that has targeted political campaigns.

In the final two weeks before the November election, the amount of nation-state activity that targets the campaigns of Biden, Trump and others is likely to increase, making this a crucial time for cybersecurity measures, says Chris Pierson, CEO and founder of security firm BlackCloak.

"Over the past four years, this attention has only picked up with target profiling activities starting early, regardless of party or candidate," Pierson tells Information Security Media Group. "As races enter the final stretch, this attention only increases, the targeted phishing and other attacks increase and the focus on reputational risks becomes more a target of opportunity."

APT31 Details

In their new report, the Google TAG researchers note that the phishing emails from APT 31 contained malicious links that, if clicked, would attempt to download malware hosted on GitHub.

The malware was a Python-based implant that, if installed, would allow the hackers to upload and download files as well as execute arbitrary commands, according to the report. The malicious code would also connect to the command-and-control server hosted on Dropbox

In one case, the phishing emails came disguised as updates from security firm McAfee that urged the targeted victim to install updated security software, the report states.

Phishing email disguised as McAfee update (Source: Google)

"The targets would be prompted to install a legitimate version of McAfee anti-virus software from GitHub, while malware was simultaneously silently installed to the system," according to the Google report.

Tom Kellermann, the head of cybersecurity strategy at VMware who served as a cybersecurity adviser to former President Barack Obama, notes that the Google report shines a light on the capabilities of groups such as APT31.

"APT 31 has dramatically improved their kill-chain by using Python and leveraging GitHub for distribution," Kellermann tells ISMG.

Other hacking groups linked to China have also sought to use legitimate cloud services as a way to disguise their activities. In September, Microsoft announced that it had removed 18 apps from its Azure cloud computing platform that were being used by a Chinese hacking group called Gadolinium as part of its command-and-control infrastructure to help launch phishing email attacks (see: Microsoft Shutters Azure Apps Used by China-Linked Hackers).

DDoS Threats

The Google report also notes that the company is tracking increases in distributed denial-of-service attacks over the last several months. The FBI and the U.S. Cybersecurity and Infrastructure Security Agency have also warned about an uptick in DDoS activity that could affect the November election (see: FBI, CISA Warn of DDoS Attacks Targeting November Election).

"While it’s less common to see DDoS attacks rather than phishing or hacking campaigns coming from government-backed threat groups, we’ve seen bigger players increase their capabilities in launching large-scale attacks in recent years," according to the Google TAG report.

Google also disclosed that it fended off a 2.54 TB per second DDoS attack in 2017 that is likely the largest publicly disclosed DDoS attack ever reported. In February, Amazon Web Services reported a 2.3 TB per second DDoS attack (see: European Bank Targeted in Massive Packet-Based DDoS Attack).

List of largest DDoS attacks recorded (Source: Google)

"Our infrastructure absorbed a 2.5 Tbps DDoS in September 2017, the culmination of a six-month campaign that utilized multiple methods of attack" Damian Menscher, a security reliability engineer with Google noted in a separate report. "Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact."

The Google report noted that the 2017 DDoS attack appeared to originate with four Chinese internet service providers, and the operation behind the attack appeared well funded.

Ivan Righi, cyber threat intelligence analyst with security firm Digital Shadows, notes that these types of DDoS are likely to increase. "Most recently, threats have also evolved to a higher level with the introduction of DDoS extortion campaigns," Righi tells ISMG. "These campaigns consist of threat actors demanding bitcoin payments from victims and threatening them with impending DDoS attacks. It is realistically possible that we could see these types of threats increase in the future."

Managing Editor Scott Ferguson contributed to this report.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.