To thwart Russian hackers, here’s how Google is beefing up its security

Google’s Threat Analysis Group is working to closely monitor cyber activity in Eastern Europe directly related to the war in Ukraine.

Since the beginning of the war in Ukraine, Google has mobilized its cybersecurity researchers to try to protect the infrastructures and the inhabitants there from cyber attacks carried out by foreign actors, often state actors. Google’s Threat Analysis Group (TAG) has observed over the past month an increase in the number of malicious actors using the war as a decoy to launch phishing and distribution campaigns. of malware.

Increasingly targeted critical infrastructures

The cyber branch of Google explains to us that actors affiliated with the governments of China, Russia, Iran or even North Korea have used, in recent weeks and months, various themes related to the war in Ukraine, to push targets to open emails containing malicious attachments or links.

For several weeks, attackers have increasingly targeted entities from industries like gas, oil, manufacturing and telecommunications, all of which house critical infrastructure.

Among the threat groups and actors, we find ATP28, or Fancy Bear. Affiliated with the General Intelligence Directorate of the Russian General Staff, it targets Ukrainian users using a new variant of malware. This is distributed via a .Net executable, contained in password-protected zip files that are found as attachments in e-mails. Once executed, the malware steals cookies and other saved passwords from Chrome, Firefox, and Edge browsers. Then, it exfiltrates the data to a compromised email account.

Several malicious groups operate in Ukraine and the region

Another particularly active group: Turla. If it is attached to the Russian FSB (the federal security service), it conducts its campaigns against the Baltic countries, particularly targeting cyber and defense organizations in the region. Typically, the group sends a booby-trapped email containing a link that tricks the user into opening a DOCX file hosted on an infrastructure controlled by the attacker who, once opened, attempts to download a PNG file from that same infrastructure.

COLDRIVER, also known as Callisto, uses Gmail accounts to send its credential phishing emails to both Google accounts and other accounts. Based in Russia, the group behind COLDRIVER is aimed more at institutional actors, such as politicians, government officials, NGOs, think tanks and journalists. Typically, it carries out its misdeeds by sending phishing links in emails, links that redirect users to PDF or DOC files hosted on Google Drive and Microsoft One Drive, but which house a link to a domain controlled by the ‘attacker. The Mountain View firm says it has blocked domains through its dangerous website identification service, Google Safe Browsing.

Among the other groups, Google mentions the intense activity of the Belarusian actor Ghostwriter, which targets Gmail or Facebook accounts held by high-risk people in Ukraine; or that of the Curious Gorge group, attached to China and the Strategic Support Force of the People’s Liberation Army, which attacks military, governmental and logistics organizations located in Ukraine, Russia and Central Asia.

Source : Google Blog