Google Warns 14,000 Gmail Users Targeted By Russian Hackers

Google has warned about 14,000 of its users about being targeted in a state-sponsored phishing campaign from APT28, a threat group that has been linked to Russia.

The campaign was detected in late September and accounts for a larger than usual batch of Government-Backed Attack notifications that Google sends to targeted users every month.

Also Read: In Case You Didn’t Know, ISO 27001 Requires Penetration Testing

Fancy Bear phishing

Shane Huntley, who is at the helm of Google’s Threat Analysis Group (TAG) that responds to government-backed hacking, notes that the higher-than-usual number of alerts this month comes from “from a small number of widely targeted campaigns which were blocked.”

The campaign from APT28, also known as Fancy Bear, lead to a larger number of warnings for Gmail users across various industries.

In a statement sent by a Google spokesperson, Huntley says that Fancy Bear’s phishing campaign accounts for 86% of all the batch warnings delivered this month.

He explains that these notifications indicate targeting of the recipient, not a compromise of their Gmail account.

“So why do we do these government warnings then? The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions” – Shane Huntley

Huntley says that these warnings are normal for individuals such as activists, journalists, government officials, or people that work national security structures because that’s who government-backed entities are targeting.

Also Read: How Does Ransomware Work? Examples and Defense Tips

All the phishing emails from the Fancy Bear campaign were blocked by Gmail and did not land in the users’ inboxes as they were automatically classified as spam.

“As we’ve previously explained, we intentionally send these notices in batches, rather than at the moment we detect the threat itself, so that attackers cannot track some of our defense strategies,” Huntley said.

APT28 has been operating since at least 2004 on behalf of Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.

The group is typically engaged in data theft and espionage activity. Among its more recent targets are members of the Bundestag, the German federal parliament, and of the Norwegian Parliament.

Google’s goal with these alerts is to inform individuals that they are being targeted so they can improve defenses. The company’s recommendation is to enroll in the Advanced Protection Program for work and personal email.