Google says government-backed hackers are weaponizing coronavirus for their attacks

From hawking fake vaccines and stolen masks to phishing attempts designed to take advantage of the pandemic, the internet has seen coronavirus-related scams and attacks skyrocket over the past few weeks.

Now, Google is sharing what its team of security experts have uncovered.

Google’s Threat Analysis Group (TAG) released a report on Wednesday detailing a number of COVID-19 attacks seen across the company's product line.

The search giant says it has specifically identified attacks targeting U.S. governmental workers and health agencies, phishing emails going after employees working from home, and fake charity solicitations.

“Hackers frequently look at crises as an opportunity, and COVID-19 is no different,” writes Shane Huntley of Google’s Threat Analysis Group in the report. “Across Google products, we’re seeing bad actors use COVID-related themes to create urgency so that people respond to phishing attacks and scams.”

Furthermore, these attacks are not just being carried out by lone hackers looking to cause trouble or scammers out for a cash grab. According to Google’s security team, it found more than a dozen state-sponsored hacking groups using the coronavirus as a lure when targeting users in its phishing and malware attempts.

The security team discovered a coronavirus-themed attack campaign targeting international health organizations and officials. The attacks spoofed the World Health Organization’s login pages in an effort to steal its targets' credentials.

According to Google, these attacks mirrored those previously reported on earlier this month by the hacker group Charming Kitten, which has links to the Iranian government. The report also names a malicious South American actor known as "Packrat" as another source of these attacks.

A screenshot of a malware email sent by a government-backed attacker. Credit: google

The company shared screenshots of emails from hackers pretending to be from the World Health Organization (WHO). One particular message tried to trick its recipient into downloading malware.

Google detailed another notable government-backed attack targeting U.S. government workers. A phishing campaign disguised as American fast food franchises went after these employees, pretending to offer them coupons and free meals in response to the coronavirus pandemic. Other emails pretended to be these food establishments’ online ordering service. The purpose of these emails was to get targets to click through to a page that looked like the fast food company’s, but was in fact set up by the attacker to steal their Google account login credentials.

According to Google, the “vast majority” of these messages were marked as spam upon receipt and never seen by its users.

“We’re not aware of any user having their account compromised by this campaign, but as usual, we notify all targeted users with a 'government-backed attacker' warning,” said Huntley.

The search giant previously reported last week that its systems had detected 18 million coronavirus-related malware and phishing messages in Gmail each day. It also shared that there were more than 240 million COVID-19-themed spam messages sent daily. The company said that it’s been able to block 99.9 percent of those attacks and spam messages from reaching its intended targets.

One interesting point of data from Google’s report is that phishing attacks by government-backed actors actually declined over the past month as compared to January and February of this year. While the attacks related to the coronavirus received a boost, overall they’re down.

And the search engine has a theory on why that is the case.

“While it’s not unusual to see some fluctuations in these numbers, it could be that attackers, just like many other organizations, are experiencing productivity lags and issues due to global lockdowns and quarantine efforts,” explained Google’s Huntley.

Government-backed hackers: They’re just like the rest of us.