Share this article on:
In Google's first Threat Horizons report, its Cybersecurity Action Team has found illicit coin mining, ransomware and APTs targeting its cloud users.
The US search tech giant has flagged that the cyber attack, spearheaded by Russian hackers, targeted Gmail users, with the company warning that the campaign aimed to steal people's login credentials using fake emails sent to their inboxes.
Details of the mining hack are outlined in a report by Google’s cyber security action team, which is designed to spot hacking threats against its cloud service – a remote storage system where Google stores customers’ data and files off-site – and gives advice on how to tackle them.
Other threats identified by the team in its first Threat Horizon report include:
“Mining” is the name for the process by which blockchains such as those that underpin cryptocurrencies are regulated and verified and requires a significant amount of computing power. Google reported that of 50 recent hacks of its cloud computing service, more than 80 per cent were used to perform cryptocurrency mining.
According to the report, about “86 per cent of the compromised Google Cloud instances were used to perform cryptocurrency mining, a cloud resource-intensive for-profit activity”, adding that in the majority of cases, the cryptocurrency mining software was downloaded within 22 seconds of the account being compromised.
Google revealed that in three-quarters of the cloud hacks the attackers had taken advantage of poor customer security or vulnerable third-party software.
The report also outlined that Russian government-backed hacking group APT28, also known as Fancy Bear, targeted 12,000 Gmail accounts in a mass attempt at phishing, where users are tricked into handing over their login details. The attackers attempted to lure account holders into handing over their details via an email that said: “We believe that government-backed attackers may be trying to trick you to get your account password.”
According to Google, they took action by blocking all the phishing emails in the attack – which focused on the UK, the US and India – and no users’ details had been compromised.
Google’s recommendations to its cloud customers to improve their security include two-factor authentication – an extra layer of security on top of a generic username and password – and signing up to the company’s work safer security program.
Another hacking ploy identified by Google in the report involved a North Korea-backed hacker group posing as recruiters at Samsung and sending fake job opportunities to employees at South Korean information security companies. Victims were then steered towards a malicious link to malware stored in Google Drive, which has now been blocked.
The report had also flagged the emergence of Black Matter, which it describes as a “formidable ransomware family”, even after the ransomware group announced it was shutting down due to “pressure from the authorities”.
Black Matter victims include the Japanese technology group Olympus.
Despite reports that the Black Matter ransomware group will shut down operations, Google remains vigilant and outlined that "until this is confirmed, Black Matter still poses a risk,” in the report.
Dealing with ransomware attacks, where the files and data on a user’s computer are encrypted by the attacker until a payment is made for their release, was difficult because heavy encryption “makes recovery of files nearly impossible without paying for the decryption tool,” Google emphasised.
[Related: US State Department to modernise cyber security approach]