{
	"id": "46f6231f-4fca-4e59-86b9-5c63ea2c8597",
	"created_at": "2026-04-06T00:11:39.733832Z",
	"updated_at": "2026-04-10T13:12:33.989344Z",
	"deleted_at": null,
	"sha1_hash": "057099bdb8559492cb5bb61cd1fe7545cd53068c",
	"title": "Google notifies 14,000 Gmail users of targeted APT28 attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 91588,
	"plain_text": "Google notifies 14,000 Gmail users of targeted APT28 attacks\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-21 · Archived: 2026-04-05 15:44:01 UTC\r\nGoogle has sent email notifications to more than 14,000 Gmail users that they've been the target of a spear-phishing attack orchestrated by a state-sponsored hacking group.\r\n\"In late September, we detected an APT28 phishing campaign targeting a large volume of Gmail users (approx\r\n14,000) across a wide variety of industries,\" Shane Huntley, Director of Google's Threat Analysis Group, told The\r\nRecord in an email, following an inquiry about the number of users who took to social media to post the message\r\nthey received from Google.\r\n\"This particular campaign comprised 86% of the batch of warnings we sent for this month,\" Huntley added.\r\n\"Firstly these warnings indicate targeting NOT compromise. If we are warning you there's a very high chance we\r\nblocked,\" Huntley said in a separate Twitter thread.\r\n\"If you are an activist/journalist/government official or work in NatSec, this warning honestly shouldn't be a\r\nsurprise.\r\n\"At some point, some government-backed entity probably will try to send you something,\" he added while urging\r\nusers to review account security settings,\" he added.\r\nHuntley, who leads the TAG team, a Google security division focused on hunting apex threat actors, said they\r\nblocked all the emails sent by the APT28 group in this campaign.\r\nTracked as APT28, but also more commonly known as Fancy Bear, the FBI and NSA linked this group earlier\r\nthis summer to Russia's military intelligence apparatus—and in particular to the Russian General Staff Main\r\nIntelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165.\r\nAPT28 has been one of the most active threat actors over the past decade, and the group has often relied on spear-phishing emails to go after targets of interest. Their aim is to breach inboxes, get access to sensitive documents\r\nand communications, and then pivot to other individuals or internal networks.\r\n\"If you received a warning or are a high-risk user, journalist, politician, celebrity, or CEO, we recommend you\r\nenroll in the Advanced Protection Program for work and personal emails,\" Huntley said in an email, promoting a\r\nGoogle program meant to add and activate additional security protections to high-risk accounts.\r\nThe warnings sent out this week are not a new Gmail feature. Google has been sending alerts about attacks carried\r\nout by state-sponsored entities since 2012.\r\nGet more insights with the\r\nRecorded Future\r\nhttps://therecord.media/google-notifies-14000-gmail-users-of-targeted-apt28-attacks/\r\nPage 1 of 2\n\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/google-notifies-14000-gmail-users-of-targeted-apt28-attacks/\r\nhttps://therecord.media/google-notifies-14000-gmail-users-of-targeted-apt28-attacks/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/google-notifies-14000-gmail-users-of-targeted-apt28-attacks/"
	],
	"report_names": [
		"google-notifies-14000-gmail-users-of-targeted-apt28-attacks"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434299,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/057099bdb8559492cb5bb61cd1fe7545cd53068c.pdf",
		"text": "https://archive.orkl.eu/057099bdb8559492cb5bb61cd1fe7545cd53068c.txt",
		"img": "https://archive.orkl.eu/057099bdb8559492cb5bb61cd1fe7545cd53068c.jpg"
	}
}