Google: Group In China Targeted Senior US Officials, Chinese Activists, Others With Phishing Attack

Google has just revealed that it has detected a phishing attack originating from Jinan, China that targeted hundreds of people, including “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists”.

The attack itself — which relied on phishing passwords — doesn’t appear to be overly sophisticated, according to a report that identified it back in February. But it was very targeted, which is unusual for phishing schemes. Google says that the perpetrators were stealing user passwords, then setting Gmail accounts to automatically forward messages to other inboxes (delegation settings, which can grant other people access to accounts, were also changed).

Google says that it “detected and disrupted this campaign” and that it has already notified affected victims, as well as government authorities. It then goes on to detail some of the things you can use to secure your account, including 2-step verification , strong passwords, and by checking to make sure you aren’t forwarding your email to any inboxes you don’t know. Google’s post emphasizes that this was not an issue with Gmail itself and that its internal systems weren’t attacked.

This isn’t the first time Google has had issues with cyberattacks originating in China. Early last year, Google revealed that it had been the target of a “highly sophisticated and targeted attack” that originated there, prompting the company to radically revise its operations in China. Google doesn’t mention anything in today’s blog post about the attacks being related, but the previous attack also targeted the accounts of Chinese activists.

Here’s a description of the attack, from contagio:

Victims get a message from an address of a close associate or a collaborating organization/agency, which is spoofed. The message is crafted to appear like it has an attachment with links like View Download and a name of the supposed attachment. The link leads to a fake Gmail login page for harvesting credentials.