Google Sent 12,000 Warnings About State-Sponsored Phishing and Hacking Campaigns in Q3, 2019

A recent report from Google’s Threat Analysis Group (TAG) has shed light on the extent to which government-sponsored hacking and phishing campaigns are being conducted. In Q3, 2019, Google sent more than 12,000 warnings to users about state-sponsored phishing campaigns.

These hacking, phishing, and disinformation campaigns have remained steady over the past two years, with a similar number of warnings issued in the corresponding period in 2017 and 2018.

While these phishing campaigns are targeting users in 149 countries, users in the United States are the most heavily targeted. Users in Pakistan, Vietnam and South Korea were also the subject of high numbers of attacks.

One of the most common scams involves spoofed Google security alerts. As with the genuine emails sent by Google, these messages inform users that their account may have been compromised and they are encouraged to click a link to change their password and secure their account. If the link is clicked, users are asked for their password and 2-factor code, if 2-factor authentication has been enabled on their account. Aside from the suspect email address that the message is sent from, the phishing emails are carbon copies of legitimate Google security alerts.

Over 90% of attacks seek login credentials and 2-factor authentication codes that allow the attacker to take control of a user’s account.  Many of the attacks are conducted on civil rights activists and journalists. To better protect those users, Google provides its Advanced Protection Program (APP), which allows users to protect their accounts with hardware security keys. APP provides a high level of protection against phishing attacks and account takeovers for high profile accounts.

In Q3, Google tracked more than 270 government-backed threat groups operating in more than 50 countries and attempted to identify and block attacks that tried to collect intelligence, spread disinformation, steal intellectual property, or spread destructive malware.

Google has provided more information on one such group called Sandworm, which has links to Russia. Most of the Sandworm attacks have targeted Ukraine, although one notable campaign was conducted on users in South Korea and attempted to deliver Android malware. Legitimate Android applications were modified to incorporate malware which were uploaded to the Google Play store. In total, 8 different malicious apps were uploaded, although each was installed fewer than 10 times.

The Sandworm group also modified the email app and uploaded it to the Google Play store. That app was downloaded by around 1,000 users. The group also compromised an app developer and published a number of apps in the Play Store, one of which was downloaded more than 200,000 times.

TAG has also taken action against disinformation campaigns conducted via YouTube in several countries in Africa, as well as provinces in Indonesia and Papua New Guinea. In total, 43 YouTube channels were shut down that were being used in propaganda campaigns.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of