Google: We caught a Russian state hacker crew uploading badness to the Play Store

Google has said it fired off 12,000 warnings to unlucky users of its GMail, Drive and YouTube services telling them it believes they're being phished by state-backed hackers.

The ad tech firm’s Threat Analysis Group (TAG) said in a blog post that between July and September it told people in 149 countries around the world that they were being “targeted by government-backed attackers”, adding that this was consistent with the same number of warnings sent during the same periods of 2017 and 2018.

“Over 90 per cent of these users were targeted via ‘credential phishing emails’, wrote Google’s Shane Huntley, who gave an example of one of these phishing emails having been sent from “Goolge”.

TAG went on to highlight a Russian state-sponsored hacking crew named Sandworm* which in 2017 started deploying Android-based malware to the Google Play store and evolved over time to simply phishing and compromising legit devs before deploying malicious updates to previously trusted apps. Google’s TAG, naturally, said they detected this and stopped Sandworm from doing these bad things.

Kevin Bocek, threat intelligence veep from Venafi, said:

“The most troubling of [Google TAG’s] examples was that [Sandworm] was able to compromise code signing keys from a legitimate app developer, via a phishing email, and add its own backdoor into an app... This just shows the power of code signing, it’s like a god that machines trust blindly. As more and more hackers see the potential, and ease, for misusing keys and certificates we'll see more of these attacks. We must ensure in the software build process code signing and machine identities are protected”

Sandworm previously used a Windows zero-day in 2014 to spy on NATO and the EU, among other targets.

Piers Wilson, product management head of Huntsman Security, opined that all this means companies must be “constantly vigilant”, saying: “Google’s announcement highlights that anyone could be a target of nation state attacks. You might assume you’re not of interest to government-backed attackers, but even someone only tangentially related to people or organisations in power could be a way into that target and so a valid target themselves.”

Cesar Cerrudo, chief techie of IOActive, advised folks to “avoid clicking on links unless you are sure they are safe and install strong protections on your endpoint devices.” Sound advice – provided you also take care while thumbing through emails on your phone or tablet. ®

Nomenclaturenotes

Sandworm has also been named (deep breath): TEMP.Noble; Electrum; Telebots; Quedagh Group; BE2 APT; Black Energy; and Iridium, not to be confused with the element or the satcom company.

The wildly unchecked proliferation of different names for hacking crews is intended mainly as a marketing gimmick to make threat intel companies appear to be first with the latest news about FancyAPT007PandaSeaTeamCalc!heeheeCr3wBlurt and to drown out the fact that there’s a score of competing firms all tracking the same threats. This is incredibly frustrating for anyone trying to figure out whether this week’s Big Scary Thing is actually the same one from last week but under a different name.

A common problem, it has driven sensible people to build public spreadsheets resolving and deconflicting the various company-specific hacker crew names. El Reg wholeheartedly endorses this approach to making infosec comprehensible again.