Google Blocks Russian Government Phishing Emails Targeting 14,000 Users

Picture: Leon Neal/Getty Photos

Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the web.

On Wednesday, Google alerted roughly 14,000 users that that they had been targets of Russian government sponsored hackers, according to a company employee.

Shane Huntley, the head of the Threat Analysis Group or TAG, Google’s anti-hacker team, wrote on Twitter that his staff had sent an “above average batch” of warnings. 

“These warnings indicate targeting NOT compromise. If we’re warning you there is a very high probability we blocked,” Huntley wrote in a thread on Thursday. “The increased numbers this month come from a small number of widely targeted campaigns which had been blocked.”

In a statement sent by a Google spokesperson, Huntley stated that the warnings had been related to a recent phishing campaign “targeting a large volume of Gmail users” by APT28, the Russian government hacking group responsible for some of the most high profile hacks of the last few years, together with the hack on the Hillary Clinton campaign and the Democratic National Committee in 2016. 

“100% of those emails had been automatically classified as spam and blocked by Gmail,” Huntley mentioned in the statement. “As we always do, we sent these individuals who had been targeted government backed attacker warnings. 

Google has been sending these types of warnings since 2012. In a 2018 blog, Huntley explained Google’s approach in terms of sending these warnings. The idea is to inform “a small minority of users in all corners of the world” that they’re being targeted by government hacking groups such as APT28 or others. At the time, Huntley stated that Google shows “thousands of those warnings each month.”

In other words, government hacking groups targeting Google users is now a part of life on the web. However the quantity in this case, and the fact that the 14,000 users had been all targeted by one group is what stands out. Furthermore, the campaign was global and targeted a broad group of individuals, together with journalists, and members of different NGOs and think tanks, according to Google. 

“This particular campaign comprised 86% of the batch of warnings we sent for this month,” Huntley mentioned in the statement. 

That is the bad news: Russian government hackers are ramping up their attacks. The good news: Google is catching them, blocking the phishing emails, and alerting the targets. The company’s goal is to make folks aware that they’re targets, while also encourage them to increase their defenses, such as using security keys instead of SMS or other less secure types of multi-factor authentication, or enrolling in the company’s Advanced Protection Program.

“So why do we do these government warnings then?” Huntley stated. “The warning really mostly tells folks you’re a potential target for the next attack so, now may be a great time to take some security actions.”

A tech worker from the US informed Motherboard that that they had received the warning on Wednesday.

The warning that the US tech worker received on Wednesday. (Picture: Motherboard)

“I was mildly alarmed,” the worker, who asked to remain anonymous as he did not need to attract more attention from hackers, informed Motherboard in an internet chat. 

The worker stated he was shocked to get the warning, as he does not think he does any sensitive work that will be interesting to government hackers. It is worth noting that this worker might not have been targeted in one of many campaigns led by APT28, however another government hacking group since Google stated not all of the notifications they sent had been associated to Russian government hackers. 

“I am a nobody,” he mentioned. “Definitely no fan of Putin’s Russia, however I can not imagine it’d be worth targeting small fry like me.”