Google has warned “high profile” Gmail users working for the US Government that they are potentially being targeted by Chinese state-sponsored threat actors with a phishing attack.
Google’s Threat Analysis Group (TAG) warned “multiple” people that APT31 (also known as Judgment Panda and Zirconium) was after their sensitive information, and that the phishing attacks were successfully blocked in their email services.
"In February, we detected an APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government," Google Threat Analysis Group's Director Shane Huntley noted.
Not linked to Ukraine
"Today, we sent those people who were targeted, government-backed attacker warnings. We don't have any evidence to suggest that this campaign was related to the current war in Ukraine."
Earlier this week, TAG also warned of Russian, Belarusian, and Chinese threat actors targeting Ukrainian and European government and military organization endpoints with “widespread” phishing and Distributed Denial of Service (DDoS) attacks.
"Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter," Huntley said in the report.
Huntley added that it’s hard to determine whether or not the attacks have anything to do with the situation in Ukraine.
Since 2012, Google has been sending out notifications to affected customers, whenever it spots attacks using infrastructure known to be linked to state-sponsored threat actors.
BleepingComputer reminds that Google TAG security engineer Ajax Bash announced the company sent out some 50,000 of these alerts last year. Of that number, almost a third (15,000) were linked to APT28, a threat actor that allegedly has strong ties to Russia’s General Staff Main Intelligence Directorate (GRU).
The last time APT31 made headlines, it was spotted targeting Russian-based organizations with phishing, after which it would distribute never-before-seen malware.
Daniil Koloskov, Senior Threat Analysis Specialist at Positive Technologies observed at the time, that the APT31 was particularly cunning in developing and deploying the malware. Not only did it employ various detection avoiding techniques, but it also self-destructed after accomplishing its goals, wiping all traces of the files and registry keys it created.
“In order to make the malicious library look like the original version, they named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll,” said Koloskov.
- Here's our rundown of the best secure email providers right now
Via: BleepingComputer
