Hungarian journalists targeted by “government-backed” phising attacks
On Thursday, Google warned multiple Hungarian journalists, including Atlatszo editor-in-chief Tamás Bodoky of a “government-backed” hacking attack on their Gmail accounts. The warnings are linked to a global hacking campaign by APT28 or “Fancy Bear”, a Russian government-backed hacking group, according to the Threat Analysis Group of Google.
„There is a chance that it is a false alarm, but we believe that we detected government-backed attackers who tried to steal your password. This happens to less than 0.1% of Gmail users. We can’t reveal what tipped them off because attackers may take note and change their tactics, but if they are successful at some point, they may gain access to your data or take other actions using your account,” a warning with this text appeared on the Gmail account of Tamás Bodoky, editor-in-chief of Atlatszo on early Thursday.
It turned out that he was not the only Hungarian journalist to receive a similar message.
András Lőke, the editor in charge of ittlakunk.hu and chairman of the jury of the Transparency Soma Award, also reported that he had been warned of a state-sponsored hacker attack on his Facebook page, and so did Ádám Bihari, a journalist of HVG.
According to a Google Threat Analysis Group (TAG) announcement last May, on any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. „Government-backed or state-sponsored groups have different goals in carrying out their attacks: Some are looking to collect intelligence or steal intellectual property; others are targeting dissidents or activists, or attempting to engage in coordinated influence operations and disinformation campaigns.”
Later on Thursday, Google stated that over 14 thousand users received a similar message due to a massive, global surge of state-sponsored cyberattacks in recent days.
For anyone wanting more context on why so many warnings coming from TAG this month–APT28 did some max targeting which we blocked.
Good writeup here. https://t.co/X4lQ9ZQ1AN
— Shane Huntley (@ShaneHuntley) October 7, 2021
This suggests that the attempted hacking of Hungarian journalists’ accounts may be part of a hacking campaign facilitated by a Russian state intelligence agency, which targets journalists and activists in several countries.
Shane Huntley, head of Google’s cybersecurity team, the Threat Analysis Group, said that the warnings are linked to a recent phishing campaign in which „a large number of Gmail users were targeted” by APT28, a Russian government-backed hacking group.
APT28, also known as, among other names, ’Fancy Bear’, ’Tsar Team’ and ’STRONTIUM’ is a well-known organ of the Russian military intelligence agency GRU.
The group came to prominence in 2014, when they targeted journalists in Russia and neighboring countries, as well as in the US, who wrote articles that were inconvenient for the Kremlin. Since then, the team was identified by digital forensic investigators as responsible for dozens of cyberattacks.
’Fancy Bear’ hackers were known to have used leaked email lists to spread terroristic threats attributed to ISIS, conducting malware attacks on several Western companies and media outlets, and successfully breaking into the email accounts of the US Democratic Party committee (DNC) and French President Emanuel Macron in 2016 and 2017, respectively.
Crude but often effective
The American Special Counsel investigation lead by Robert Mueller identified members of the hacking group while looking into Russian interference in the 2016 United States elections. According to the Mueller report, the group is made up of members of two GRU units, and their work is supervised by the service’s high command. Based on the report, the FBI issued arrest warrants for 12 GRU officers identified as the perpetrators of cyberattacks.
Google’s communications suggests that the latest Russian campaign consisted of phishing attempts – this is a somewhat crude hacking method, which requires the victim to open an email sent by the attackers, and open a deceptive link or download a file infected by malware.
Such attacks have nevertheless been successful in recent years, even the DNC hack had been achieved through phishing. However, this method is by far easier to block compared to next-generation spyware used by government agencies, such as Pegasus. So-called Zero-Click attacks can infect smart devices and spy on users without any apparent warning signs.
Fancy Bear comes after Pegasus
The latest warning was especially concerning since it was revealed in September that two phones of Dániel Németh, a photojournalist working for Átlátszó had been infected with the Pegasus spyware, which is used exclusively by state agencies, including the Hungarian government.
Dániel Németh investigated and uncovered luxury trips of pro-government politicians and their business associates. Brigitta Csikász, a crime reporter working for Atlatszo that time also reported her phone being infected with the spyware.
When this picture was taken, we were being monitored by Pegasus spyware
In an opinion piece, our colleague reacts to the fact that some journalists and contributors of Atlatszo discovered traces of…
Other similar software, according to Ian Amit, an Israeli security expert interviewed by Atlatszo, has been used by government agencies to plant false evidence on peoples’ phones to convict them of crimes they did not commit.
Pegasus is just one of many, some spyware tools can also plant false evidence
“Clean” cybersecurity companies should not employ people who have previously worked for a company that also produces spyware. This initiative was proposed by an internationally renowned expert at a conference in Tel Aviv.
Google stated that, if a user received a warning message about the “government-backed” attack, it is almost certain that Gmail’s spam filters blocked the threat, thus the fraudulent email will not be present in their account. The Google Threat Analysis Group and other security experts suggest turning on multi-factor authentication and take other precautionary measures to prevent phishing attempts from succeeding.
Written and translated by Zalán Zubor. Cover image: Crowdstrike.
Support independent investigative journalism in Hungary, become a patron of Atlatszo on Patreon!