Analysis Shines Light on Group that Targeted Biden’s Campaign Offices
A report issued Friday by Google’s Threat Analysis Group offers fresh details about the Chinese-linked hacking group that targeted Joe Biden’s campaign offices earlier this year with phishing emails.
In June, Google released an analysis that found an advanced persistent threat group called APT31 had targeted the Biden campaign offices with phishing emails, although these attacks did not prove successful. The same report also found an Iranian-backed group used similar techniques against President Donald Trump’s campaign (see: Google: Phishing Attacks Targeted Trump, Biden Campaigns).
In the new report, Google TAG notes that APT31, which is also known as Zirconium, used GitHub to host malware and also utilized Dropbox as the command-and-control infrastructure all to avoid detection and hide from security tools. The report did not say specifically if these techniques were the same as those used against the Biden campaign.
“Every malicious piece of this attack was hosted on legitimate services, making it harder for defenders to rely on network signals for detection,” Shane Huntley, head of Google’s Threat Analysis Group, noted in the report.
New updates from TAG in today’s post https://t.co/oUXkAMQ4UF Includes DDOS attacks from China, COVID-19 targeting from North Korea and a large spam network conducting coordinated influence operation. Thanks @t_gidwani @billyleonard & team.
— Shane Huntley (@ShaneHuntley) October 16, 2020
As it did when the phishing campaigns against the Biden and Trump campaigns were first detailed in June, Google has shared this information with the FBI for further investigation. Overall, Google sent over 10,000 warnings about government-backed threats in the third quarter of this year, noting an increase in activity that has targeted political campaigns, according to the report.
In the final two weeks before the November election, the amount of nation-state activity that targets the Biden, Trump and other campaigns is likely to increase, making this a crucial time when it comes to cybersecurity, says Chris Pierson, CEO and founder of security firm BlackCloak.
“Over the past four years this attention has only picked up with target profiling activities starting early, regardless of party or candidate,” Pierson tells Information Security Media Group. “As races enter the final stretch, this attention only increases, the targeted phishing and other attacks increases, and the focus on reputational risks becomes more a target of opportunity.”
In the report, the Google TAG researchers note that the phishing emails used by APT 31 contained malicious links that if clicked, would attempt to download malware hosted on GitHub, according to the report.
In this case, the malware was a Python-based implant and if installed would allow the hackers to upload and download files as well as execute arbitrary commands, according to the report. The malicious code would also connect to the command-and-control server hosted on Dropbox
In one case, the phishing emails came disguised as updates from security firm McAfee that urged the targeted victim to install updated security software, according to the report.
Phishing email disguised as McAfee update (Source: Google)
“The targets would be prompted to install a legitimate version of McAfee anti-virus software from GitHub, while malware was simultaneously silently installed to the system,” according to the Google report.
Tom Kellermann, the head of cybersecurity strategy at VMware who served as a cybersecurity adviser to former President Barack Obama, notes that the Google report shines an important light on the capabilities of groups such as APT31.
“APT 31 has dramatically improved their kill-chain by using Python and leveraging GitHub for distribution,” Kellermann tells ISMG.
Other hacking groups linked to China have also sought to utilize legitimate cloud services as a way to disguise their activities. In September, Microsoft announced that it had removed 18 apps from its Azure cloud computing platform that were being used by a Chinese hacking group called Gadolinium as part of its command-and-control infrastructure to help launch phishing email attacks (see: Microsoft Shutters Azure Apps Used by China-Linked Hackers).
In addition to the details about the phishing campaigns, the Google report notes that the company is tracking increases in distributed denial-of-service attacks that have been increasing over the last several months. Over the last month, FBI and the U.S. Cybersecurity and Infrastructure Security Agency have also warned about an uptick in DDoS activity that could affect the November election (see: FBI, CISA Warn of DDoS Attacks Targeting November Election).
“While it’s less common to see DDoS attacks rather than phishing or hacking campaigns coming from government-backed threat groups, we’ve seen bigger players increase their capabilities in launching large-scale attacks in recent years,” according to the Google TAG report.
As part of the report, Google also disclosed that it fended off a 2.54 TB per second DDoS attack in 2017 that is likely the largest publicly disclosed DDoS attack ever reported. In February, Amazon Web Services reported a 2.3 TB per second DDoS attack (see: European Bank Targeted in Massive Packet-Based DDoS Attack).
List of larges DDoS attacks recorded (Source: Google)
“Our infrastructure absorbed a 2.5 Tbps DDoS in September 2017, the culmination of a six-month campaign that utilized multiple methods of attack” Damian Menscher, a security reliability engineer with Google noted in a separate report. “Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact.”
The Google report noted that the 2017 DDoS attack appeared to originate with four Chinese internet service providers and the operation behind the attack appeared well funded. The company disclosed the attack now to call attention to increasing DDoS attacks that have occurred over the last several months.
Ivan Righi, cyber threat intelligence analyst with security firm Digital Shadows, notes that these types of DDoS are likely to increase with the operators becoming more sophisticated.
“Most recently, threats have also evolved to a higher level with the introduction of DDoS extortion campaigns,” Righi tells ISMG. “These campaigns consist of threat actors demanding bitcoin payments from victims and threatening them with impending DDoS attacks. It is realistically possible that we could see these types of threats increase in the future.”
Managing Editor Scott Ferguson contributed to this report.