Google has now warned around 14,000 individuals using its mail services regarding users being targeted by a state-sponsored cybercriminal campaign. The threat group APT28 is said to be behind the phishing campaign – a group that has previously been connected to Russia.

The recent campaign was spotted towards the end of September and amounts to a larger batch than usual of government-supported attack notices that Google regularly sends out to targeted users each month.

A dedicated phishing campaign in action

Shane Huntley, leader of Google’s dedicated Threat Analysis Group (TAG) charged with responding to government-backed hacks, noted that this above average number of notifications originated from what he referred to as:

“…a small number of widely targeted campaigns which were blocked.”

The identified APT28 (also well-known as Fancy Bear) campaign leads to a greater number of cautions than usual for Gmail users operating in various sectors.

In a recent statement issued by a nominated spokesperson for Google, Huntley commented that activity from Fancy Bear’s latest phishing campaign accounted for 86% of the entire batch of warnings presented to Gmail users for the month.

He explained that the alerts issued suggest targeting of a mail recipient, but not their Gmail account being compromised. He elaborated on the purpose of the government-backed activity notices, which is to help targets prepare for an attack:

“So why do we do these government warnings then? The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions.”

He added that the warnings issued are a normal occurrence for certain professionals like journalists, activists, government officials, or individuals that work in dedicated national security hubs because that is who government-supported entities are most likely to have in their sights as potential victims.

Google alerts about government-backed hacking

All the phishing emails delivered by the recent Fancy Bear campaign were effectively blocked by Gmail. Google’s security tools managed to automatically class all of the phishing emails as spam, safely quarantining them. This ensured they did not make it into their intended targets’ mail inboxes as they were automatically classified as spam.

Huntley commented:

“As we’ve previously explained, we intentionally send these notices in batches, rather than at the moment we detect the threat itself, so that attackers cannot track some of our defence strategies.”

APT28 has now been operating for many years. It is suspected to have been active since 2004 at least and operating on behalf of the General Staff Main Intelligence Directorate, 85th Main Special Service Centre military unit 26165 of Russia.

The hacker outfit is usually engaged in the theft of data and espionage activities.

Among its more recent victims are members of the German federal parliament, the Bundestag, and of members of Norway’s parliament.

Google’s aim with these notifications is to ensure targeted individuals are well-informed so they can take measures to enhance their defences before they are attacked and their personal data becomes compromised.