Written by Sean Lyngaas

A criminal hacking group concentrated in Pakistan has in recent months carried out a string of attacks on American, British, Russian, and Spanish governmental organizations, according to new research from cybersecurity company Palo Alto Networks.

The hacking collective known as the Gorgon Group “has been performing criminal operations against targets across the globe, often using shared infrastructure with their targeted attack operations,” Palo Alto Networks’ threat intelligence arm, Unit 42, said in a blog post Thursday.

The group has been targeting foreign government agencies operating in Pakistan, partly through malware-laced Microsoft Word documents, the researchers found. “The spear phishing emails involved in this campaign would most often originate from Gmail accounts masquerading as legitimate individuals, such as a prominent lieutenant colonel in the Pakistani military,” they wrote. It is unclear if the attackers are all based in Pakistan, but they claim to be through online personas, according to the research.

The attackers are unsophisticated but effective. Gorgon Group meticulously tracks how often its payloads are clicked on via common URL shortening tools, according to Unit 42. Thirty-nine percent of users who clicked on those links were in Pakistan, while 19 percent were in the United States.

The group’s command-and-control infrastructure is riddled with crimeware samples, including the remote access trojan NjRat, the research says. The group uses domains to perform a blend of broad-based cybercrime and targeted hacks, often shifting from one to the other “with little warning,” the blog post states.

The unmasking of the Gorgon Group is an example of how a cyber-intelligence-gathering project can expand over time. Unit 42 had been tracking an attacker known as Subaat for more than a year, but recently pieced together evidence that Subaat is part of the larger Gorgon Group.

CORRECTION, 08/03/18: This story has been updated with the correct spelling of the Gorgon Group.