APT28, a threat group attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, is targeting Google users through a phishing attack to steal their data and extort money.
Google has identified this campaign and has put out a warning notification to over 14,000 targeted users to stop the attacks in track.
The campaign was detected in late September and accounts for a larger than usual batch of government-backed attack notifications that Google sends to targeted users every month.
Google issued a warning message, indicating these are not compromised notifications but safety measures; the warning was issued after part of the campaign was blocked.
“If we are warning you there’s a very high chance we blocked. The increased numbers this month come from a small number of widely targeted campaigns which were blocked,” said Google.
TAG sent a above average batch of government-backed security warnings yesterday. Some info for people who got the warning and a reminder what it means:https://t.co/ozlRL4SwhG
and also in this 🧵
— Shane Huntley (@ShaneHuntley) October 7, 2021
The campaign from APT28 lead to a larger number of warnings for Gmail users across various industries.
Shane Huntley, Google’s Threat Analysis Group, said, “Fancy Bear’s phishing campaign accounts for 86% of all the batch warnings delivered this month. So why do we do these government warnings then? The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions.”
Who is APT28 or Fancy Bear?
APT28 has had multiple identities, such as Pawn Storm, Sofacy Group, Tsar Team, and STRONTIUM. However, it is now infamously known as Fancy Bear. The name comes from a coding system security researcher Dmitri Alperovitch uses to identify hackers.
Known to be operational since the mid-2000s, Fancy Bear’s methods are consistent with the capabilities of state actors. It is known to target government, military, and security organizations, especially Transcaucasian and NATO-aligned states for data theft and espionage activity.
Fancy Bear has carried out cyberattacks on the German parliament, the Norwegian parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, the Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron.
Classified as an advanced persistent threat (APT), the threat actor uses zero-day exploits, spear phishing and malware to compromise targets.