Google catches North Korean, Iranian hackers impersonating journalists in phishing efforts

The figures are less than what occurred in 2018, but researchers have seen in uptick in 2020.
google phishing warning
(Christiaan Colen / Flickr)

Indiscriminate email hacking campaigns are so 2018.

Some attackers have shifted away from sending a high volume of malicious emails in favor of more customized attacks aimed at high value targets.

Google’s Threat Analysis Group, which tries to stop state-sponsored hacking, sent nearly 40,000 warnings in 2019 to users alerting them that they were the target of a government-backed phishing attempt. That figure is down by nearly 25% from 2018, the company said in a blog post Thursday. One-in-five of the accounts targeted in 2019 was targeted multiple times.

“If at first the attacker does not succeed, they’ll try again using a different lure, different account, or trying to compromise an associate of the target,” Toni Gidwani, a security engineering manager at the company’s Threat Analysis Group, said in the blog post.


Yet that drop preceded an uptick in 2020 in attempted attacks. The hackers behind the most recent wave of attacks were often from Iran or North Korea, masquerading as reporters to build trust with a target, then try to break into their accounts or fabricate an idea for an article.

“For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation,” Gidwani wrote.

“In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email. Government-backed attackers regularly target foreign policy experts for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks.”

Google has long championed its work on anti-phishing measures. The company in December said it would expand security measures in its Chrome browser by warning users when they were visiting a suspicious website that might try to steal their credentials.

The Threat Analysis Group also caught a single hacking group using five zero-day vulnerabilities, which are unknown to technology companies. While Google did not specify which attackers may have been responsible, it did say that “the majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues.”


“Finding this many zero-day exploits from the same actor in a relatively short time frame is rare,” the company said.

Two of the five vulnerabilities detailed Thursday are the same flaws in Google Chrome and Windows machines that were initially revealed in March 2019. The other three vulnerabilities rest on software issues in Internet Explorer.

This disclosure comes after U.S. Cyber Command last year publicized hacking samples that security researchers said were tied to North Korean activities.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts