{ "id": "34dd8671-a731-486f-a5a0-90061903d600", "created_at": "2026-04-06T02:12:45.544983Z", "updated_at": "2026-04-10T03:35:45.912187Z", "deleted_at": null, "sha1_hash": "d102ce4482891dc313c02fa6d7888f1054deba28", "title": "How we're tackling evolving online threats", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48809, "plain_text": "How we're tackling evolving online threats\r\nBy Shane Huntley\r\nPublished: 2020-10-16 · Archived: 2026-04-06 01:54:18 UTC\r\nOct 16, 2020\r\n6 min read\r\nMajor events like elections and COVID-19 present opportunities for threat actors, and Google’s Threat Analysis\r\nGroup (TAG) is working to thwart these threats and protect our products and the people using them. As we head\r\ninto the U.S. election, we wanted to share an update on what we’re seeing and how threat actors are changing their\r\ntactics.\r\nWhat we’re seeing around the U.S. elections\r\nIn June, we announced that we saw phishing attempts against the personal email accounts of staffers on the Biden\r\nand Trump campaigns by Chinese and Iranian APTs (Advanced Persistent Threats) respectively. We haven’t seen\r\nany evidence of such attempts being successful. \r\nThe Iranian attacker group (APT35) and the Chinese attacker group (APT31) targeted campaign staffers’ personal\r\nemails with credential phishing emails and emails containing tracking links. As part of our wider tracking of\r\nAPT31 activity, we've also seen them deploy targeted malware campaigns. \r\nOne APT31 campaign was based on emailing links that would ultimately download malware hosted on GitHub.\r\nThe malware was a python-based implant using Dropbox for command and control. It would allow the attacker to\r\nupload and download files as well as execute arbitrary commands. Every malicious piece of this attack was hosted\r\non legitimate services, making it harder for defenders to rely on network signals for detection. \r\nIn one example, attackers impersonated McAfee. The targets would be prompted to install a legitimate version of\r\nMcAfee anti-virus software from GitHub, while malware was simultaneously silently installed to the system.\r\nExample prompt from an APT31 campaign impersonating McAfee\r\nWhen we detect that a user is the target of a government-backed attack, we send them a prominent warning. In\r\nthese cases, we also shared our findings with the campaigns and the Federal Bureau of Investigation. This\r\ntargeting is consistent with what others have subsequently reported.\r\nNumber of “government backed attacker” warnings sent in 2020\r\nOverall, we’ve seen increased attention on the threats posed by APTs in the context of the U.S. election. U.S\r\ngovernment agencies have warned about different threat actors, and we’ve worked closely with those agencies and\r\nothers in the tech industry to share leads and intelligence about what we’re seeing across the ecosystem. This has\r\nresulted in action on our platforms, as well as others. Shortly after the U.S. Treasury sanctioned Ukrainian\r\nhttps://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats/\r\nPage 1 of 3\n\nParliament member Andrii Derkach for attempting to influence the U.S. electoral process, we removed 14 Google\r\naccounts that were linked to him.\r\nCoordinated influence operations\r\nWe’ve been sharing actions against coordinated influence operations in our quarterly TAG bulletin (check out our\r\nQ1, Q2 and Q3 updates). To date, TAG has not identified any significant coordinated influence campaigns\r\ntargeting, or attempting to influence, U.S. voters on our platforms. \r\nSince last summer, TAG has tracked a large spam network linked to China attempting to run an influence\r\noperation, primarily on YouTube. This network has a presence across multiple platforms, and acts by primarily\r\nacquiring or hijacking existing accounts and posting spammy content in Mandarin such as videos of animals,\r\nmusic, food, plants, sports, and games. A small fraction of these spam channels will then post videos about current\r\nevents. Such videos frequently feature clumsy translations and computer-generated voices. Researchers at\r\nGraphika and FireEye have detailed how this network behaves—including its shift from posting content in\r\nMandarin about issues related to Hong Kong and China’s response to COVID-19, to including a small subset of\r\ncontent in English and Mandarin about current events in the U.S. (such as protests around racial justice, the\r\nwildfires on the West Coast, and the U.S. response to COVID-19). \r\nWe’ve taken an aggressive approach to identifying and removing content from this network—for example, in Q3\r\nalone, our Trust and Safety teams terminated more than 3,000 YouTube channels. As a result, this network hasn’t\r\nbeen able to build an audience. Most of the videos we identify have fewer than 10 views, and most of these views\r\nappear to come from related spam accounts rather than actual users. So while this network has posted frequently,\r\nthe majority of this content is spam and we haven’t seen it effectively reach an actual audience on YouTube.\r\nWe’ve shared our findings on this network in our Q2 and Q3 TAG bulletins and will continue to update there.\r\nExamples of YouTube videos removed\r\nNew COVID-19 targets\r\nAs the course of the COVID-19 pandemic evolves, we’ve seen threat actors evolve their tactics as well. In\r\nprevious posts, we discussed targeting of health organizations as well as attacker efforts to impersonate the World\r\nHealth Organization. This summer, we and others observed threat actors from China, Russia and Iran targeting\r\npharmaceutical companies and researchers involved in vaccine development efforts. \r\nIn September, we started to see multiple North Korea groups shifting their targeting towards COVID-19\r\nresearchers and pharmaceutical companies, including those based in South Korea. One campaign used URL\r\nshorteners and impersonated the target’s webmail portal in an attempt to harvest email credentials. In a separate\r\ncampaign, attackers posed as recruiting professionals to lure targets into downloading malware.\r\nSpoofed Outlook login panel used by North Korean attackers attempting to harvest credentials\r\nTackling DDoS attacks as an industry\r\nIn the threat actor toolkit, different types of attacks are used for different purposes: Phishing campaigns can be\r\nused like a scalpel—targeting specific groups or individuals with personalized lures that are more likely to trick\r\nhttps://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats/\r\nPage 2 of 3\n\nthem into taking action (like clicking on a malware link), while DDoS attacks are more like a hatchet—disrupting\r\nor blocking a site or a service entirely. While it’s less common to see DDoS attacks rather than phishing or\r\nhacking campaigns coming from government-backed threat groups, we’ve seen bigger players increase their\r\ncapabilities in launching large-scale attacks in recent years. For example in 2017, our Security Reliability\r\nEngineering team measured a record-breaking UDP amplification attack sourced out of several Chinese ISPs\r\n(ASNs 4134, 4837, 58453, and 9394), which remains the largest bandwidth attack of which we are aware.\r\nAddressing state-sponsored DDoS attacks requires a coordinated response from the internet community, and we\r\nwork with others to identify and dismantle infrastructure used to conduct attacks. Going forward, we’ll also use\r\nthis blog to report attribution and activity we see in this space from state-backed actors when we can do so with a\r\nhigh degree of confidence and in a way that doesn’t disclose information to malicious actors. \r\nSource: https://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats/\r\nhttps://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats/" ], "report_names": [ "how-were-tackling-evolving-online-threats" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775441565, "ts_updated_at": 1775792145, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d102ce4482891dc313c02fa6d7888f1054deba28.pdf", "text": "https://archive.orkl.eu/d102ce4482891dc313c02fa6d7888f1054deba28.txt", "img": "https://archive.orkl.eu/d102ce4482891dc313c02fa6d7888f1054deba28.jpg" } }