Google offers new details about the China-Linked Hacking Group

Critical infrastructure security, cyber war / nation state attacks, DDoS protection

The analysis highlights the group that targeted Biden’s campaign offices

Akshaya Asokan (asokan_akshaya) •
17th October 2020

A report released Friday by Google Threat Analysis Group offers new information on the China-linked hacking group that targeted Joe Biden’s campaign offices with phishing emails earlier this year.

See also: Live webinar | Exploit the full potential of the public key infrastructure

In June, Google published an analysis that found that an expanded group of persistent threats called APT31 had phished the Biden campaign bureaus with phishing emails, although those attacks had not proven successful. The same report also found that an Iran-backed group used similar techniques against President Donald ’s campaign (see: Google: Phishing attacks target Trump, Biden campaigns).

In the new report, Google TAG notes that APT31, also known as Zirconium, used GitHub to host malware and Dropbox as the command and control infrastructure to avoid detection and hide from security tools. The report did not specifically state whether these techniques were consistent with those used in the Biden campaign.

“Every malicious part of this attack was hosted on legitimate services, making it more difficult for defenders to rely on network signals to detect,” said Shane Huntley, head of Google’s Threat Analysis Group, in the report.

As with the first detailed phishing campaigns against the Biden and Trump campaigns in June, Google made this information available to the FBI for further investigation. In total, Google sent over 10,000 alerts of government-backed threats in the third quarter of this year and saw an increase in activity targeting political campaigns, according to the report.

In the final two weeks leading up to the November election, the number of nation-state activities targeting Biden, Trump and other campaigns is likely to increase. This is a crucial time for cybersecurity, says Chris Pierson, CEO and founder of security firm BlackCloak.

“In the past four years, that awareness has only increased with early target profiling activities, regardless of party or candidate,” Pierson told the Information Security Media Group. “As races reach the final stretch, that awareness only increases, targeted phishing and other attacks increase, and the focus on reputational risk becomes more of a target of opportunity.”

APT31 Details

In the report, the Google TAG researchers found that the phishing emails used by APT 31 contained malicious links that the report said would attempt to download malware hosted on GitHub if they clicked on them.

In this case, the malware was a Python-based implant. If it were installed, the report said the hackers could upload and download files and execute arbitrary commands. The malicious code also connects to the command and control server hosted on Dropbox

In one case, the phishing emails were disguised as updates from the security company McAfee, which reportedly asked the target victim to install updated security software.

Phishing email disguised as a McAfee update (Source: Google)
“The targets would be asked to install a legitimate version of McAfee antivirus software from GitHub while malware was being installed on the system unnoticed,” the Google report said.

Tom Kellermann, head of cybersecurity strategy at VMware who served as cybersecurity advisor to former President Barack Obama, notes that the Google report sheds important light on the capabilities of groups like APT31.

“APT 31 has dramatically improved its kill chain by using Python and using GitHub for distribution,” Kellermann told ISMG.

Other China-related hacking groups have also tried to use legitimate cloud services to cover up their activities. In September, Microsoft announced that it had removed 18 apps from its Azure cloud computing platform that were used by a Chinese hacking group called Gadolinium as part of their command and control infrastructure to launch phishing email attacks (see : Microsoft Shutters Azure apps used by China-related hackers).

DDoS threats

In addition to the details of the phishing campaigns, the Google report notes that the company is tracking the increase in distributed denial-of-service attacks, which has been increasing over the past few months. Last month, the FBI and the U.S. Agency for Cybersecurity and Infrastructure Security also warned of an increase in DDoS activity that could affect the November elections (see: FBI, CISA warns of DDoS attacks against November elections).

“While it is less common to see DDoS attacks as phishing or hacking campaigns by government-backed threat groups, in recent years we have seen larger players improve their ability to launch large-scale attacks,” according to the Google TAG -Report.

As part of the report, Google also announced that it blocked a 2.54 TB per second DDoS attack in 2017, which is likely the largest publicly reported DDoS attack ever reported. In February, Amazon Web Services reported a DDoS attack at 2.3 TB per second (see: European bank targets massive packet-based DDoS attack).

List of the largest recorded DDoS attacks (source: Google)
“In September 2017, our infrastructure absorbed a DDoS of 2.5 Tbit / s. This is the culmination of a six month campaign that used multiple attack vectors, ”said Damian Menscher, a security reliability engineer at Google, in a separate report. “Although the attack targeted thousands of our IPs at the same time, presumably in the hope of getting past automated defenses, it had no effect.”

The Google report found that the 2017 DDoS attack appeared to originate from four Chinese ISPs and the operation behind the attack appears to be well funded. The company announced the attack now to draw attention to the increasing number of DDoS attacks in recent months.

Ivan Righi, cyber threat intelligence analyst at security firm Digital Shadows, notes that these types of DDoS are likely to increase as operators become more complex.

“More recently, with the introduction of DDoS extortion campaigns, the threats have also moved to a higher level,” Righi told ISMG. “These campaigns consist of threat actors who demand Bitcoin payments from the victims and threaten them with impending DDoS attacks. It is realistic that these types of threats could increase in the future. ”

Executive Editor Scott Ferguson contributed to this report.

These were the details of the news Google offers new details about the China-Linked Hacking Group for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.

It is also worth noting that the original news has been published and is available at and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.