National Security

Google sees persistent foreign cyber targeting of US elections, COVID-19 research

Google on Friday said it continues to see foreign cyber targeting directed at individuals and campaigns involved in upcoming U.S. elections, along with efforts to target groups involved in COVID-19 research and treatment. 

Shane Huntley, a member of Google’s Threat Analysis Group (TAG), wrote in a blog post that the company had seen Chinese cyber group Advanced Persistent Threat 31 (APT31) deploy targeted malware campaigns and phishing emails at campaign staffers. He added that an Iranian group, known as APT35, is also using phishing emails to target staffers. 

Some phishing emails targeting officials on President Trump’s and former Vice President Joe Biden’s campaigns contained tracking links or efforts to steal credentials from the individual. 

The malware campaign by the Chinese-linked APT31 group involved emailing malicious links that would download malware hosted on GitHub. The links in some cases led to a page posing as computer security company McAfee that would prompt individuals to install the company’s antivirus software, ultimately downloading both the software and the hidden malware.

“Every malicious piece of this attack was hosted on legitimate services, making it harder for defenders to rely on network signals for detection,” Huntley wrote.

He emphasized that Google had not seen any evidence that the targeting of campaign staffers had been successful. 

This is not the first alert Huntley has put out about Trump and Biden staffers being targeted by foreign hackers. 

“Recently TAG saw China APT group targeting Biden campaign staff & Iran APT targeting Trump campaign staff with phishing,” Huntley tweeted in June. “No sign of compromise. We sent users our govt attack warning and we referred to fed law enforcement.”

Huntley wrote Friday that the activity was “consistent” with what other groups, such as Microsoft, had seen from foreign adversaries targeting elections over the past few months. Microsoft warned in September that Russian, Chinese and Iranian groups were targeting U.S. elections, including attacks against the Trump and Biden campaigns. 

Huntley noted that any actor suspected of being involved in a government-backed attack that is detected by Google is sent a warning, and information on the attempted hacking operations is shared with the FBI and the campaigns targeted. Google sent around 1,300 fewer warnings in the third quarter of 2020 as compared to the first quarter, when it sent more than 12,000 warnings.  

Google has taken steps to address some of the malicious activity, including removing 14 accounts linked to Ukrainian member of Parliament Andrii Derkach after he was sanctioned by the U.S. Treasury Department in September for attempting to undermine U.S. elections. 

William Evanina, the director of the National Counterintelligence and Security Center, cited Derkach in an August assessment that warned that Russia, China and Iran were actively seeking to interfere in the presidential election. 

Evanina alleged that Derkach was “spreading claims about corruption — including through publicizing leaked phone calls — to undermine former Vice President Biden’s candidacy and the Democratic Party.”

Huntley wrote Friday that “overall, we’ve seen increased attention on the threats posed by APTs in the context of the U.S. election. U.S government agencies have warned about different threat actors, and we’ve worked closely with those agencies and others in the tech industry to share leads and intelligence about what we’re seeing across the ecosystem.”

Huntley also gave an update on coordinated influence operations, with the threat researcher emphasizing that TAG had “not identified any significant coordinated influence campaigns targeting, or attempting to influence, U.S. voters on our platforms.”

Google did take action to remove content connected to a Chinese group spreading influence posts in relation to China’s handling of COVID-19, the protests in Hong Kong and more recently U.S. current events such as wildfires on the West Coast and protests on racial justice issues. 

Beyond elections, Huntley also noted that Google had seen ongoing targeting by Chinese, Russian and Iranian threat actors against groups connected to the COVID-19 pandemic, including pharmaceutical companies and researchers developing vaccines. 

More recently, Huntley said his group had seen North Korean hackers also pivot to targeting these types of groups, including some based in South Korea, through the use of phishing emails. In some cases, the attackers posed as recruiting professionals to trick individuals into downloading malware, while in other cases the attackers impersonated webmail portals to steal email credentials.

Groups involved in COVID-19 research and treatment have become major targets over the past months during the ongoing coronavirus pandemic. 

Hospitals and health care systems have been hit by these threats, with systems at hundreds of hospitals in the Universal Health Services network temporarily crashing earlier this month. Major organizations such as the World Health Organization and the U.S. Department of Health and Humans Services, along with pharmaceutical groups including Gilead Sciences Inc., have also been hit by cyberattacks in connection to the pandemic.

Google previously warned of international hackers targeting the health care sector in April, when Huntley wrote in a previous blog post that the company had tracked at least a dozen government-backed hacking groups “using COVID-19 themes as lure for phishing and malware attempts—trying to get their targets to click malicious links and download files.”