Since the start of the year, journalists and news outlets have become preferred targets of government-backed cyber attackers, Google’s Threat Analysis Group (TAG) has noticed.

“For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation. In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email,” shared Toni Gidwani, a security engineering manager at TAG.

Government-backed attackers also target foreign policy experts – for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks – as well as government officials, dissidents and activists.

Protecting Google accounts

Aside from trying to deliver malware to compromise the targets’ computer and/or smartphone, the attackers are also trying to compromise their online accounts – repeatedly.

“In 2019, one in five accounts that received a [government-backed phishing or malware attack] warning was targeted multiple times by attackers. If at first the attacker does not succeed, they’ll try again using a different lure, different account, or trying to compromise an associate of their target,” Gidwani said, and boasted about the effectiveness of Google’s protections when it comes to phishing and account hijacking.

“We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program (APP), even if they are repeatedly targeted,” she claimed.

Google’s APP provides additional account security for those who are at an elevated risk of targeted attacks, by: requesting the person logging in to have a specific physical security key (as well as the password and the second authentication factor), preventing untrusted third-party apps to access the account, providing added download protection, insisting on a stricter account recovery process, etc.

The attackers haven’t failed to notice the effectiveness of the protections, Gidwani says, and have slowed down their onslaught. “In 2019, we sent almost 40,000 warnings, a nearly 25 percent drop from 2018,” she noted.

Zero-days

Google’s TAG also discovers attacks and tracks attackers exploiting zero-day vulnerabilities in popular software – in 2019, they discovered zero-day vulnerabilities affecting Android, Chrome, iOS, Internet Explorer and Windows.

“Last year, TAG discovered that a single threat actor was capitalizing on five zero-day vulnerabilities,” she shared.

“Finding this many zero-day exploits from the same actor in a relatively short time frame is rare. The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns. The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues.”