According to Google's Shane Huntley, advanced persistent threat (APT) groups out of China and Iran attempted to hack staff from US political campaigns. That's based on recent reports citing the threat analysis director — who tweeted out about the attempt earlier this week. According to the tweet, the Google-run threat analysis group "recently saw" the activity and reported it to the appropriate authorities.
Every indication seems to suggest that no accounts or information has been compromised at this time. But the threat of the attack should nonetheless be taken seriously. APTs are typically nation-state or state-sponsored groups.
In terms of the specifics of the attempted attack, Mr. Huntley says that Chinese APT targetted the staff of US presidential hopeful Joe Biden. The Iranian APT, conversely, targetted the campaign of current US president, Donald Trump. In both cases, phishing was the chosen approach.
The Google director says that the groups are respectively known as APT31 and APT35.
Google is offering advice to address the issue
Mr. Huntley is taking the opportunity to offer up some advice for protecting accounts too. While this applies not solely to campaign staff, the director warns that personal accounts of staff members may be targetted. The best protection to use, he indicates, are two-factor authentication and Advanced Protection
At least one of those methods may, however, not be as effective as the others. At least not on its own.
In late 2019, the Chinese APT hacker group APT20 was discovered to be bypassing two-factor authentication. It was able to accomplish that by first attacking web servers. Then, it utilized an RSA SecurID software token that it stole from a hacked system.
Summarily, APT20 modified the key and imported the SecurID Token Seed. That allowed it to return and gain access to valid tokens, which were then used to generate and steal system-specific keys.
As noted above, that attack was carried out by a different APT but, like the most recent attempts, that originated out of China. Since APTs have a tendency to be government-sponsored, there is a chance that similar methods might be used again to bypass two-factor authentication.
Now, Mr. Huntley also reiterated that Google is offering its Titan Security Keys to personnel working campaigns. So means that anybody working the campaigns will want to look into getting one. While also imperfect, the security keys offer a more localized, more secure method of authentication.
These attacks weren't successful but future attacks could be
As noted above, the attempted hack on the campaigns has been confirmed to originate in Iran and China, respectively but there are still some details that aren't clear. For instance, it's not immediately apparent whether the attacks were connected.
While these attempts weren't successful, the groups will not necessarily be dissuaded from making another attempt. Other groups may also try to interfere. So implementing multiple layers of additional security, including those mentioned here, will arguably be the safest bet in terms of tech-related protections.
Recently TAG saw China APT group targeting Biden campaign staff & Iran APT targeting Trump campaign staff with phishing. No sign of compromise. We sent users our govt attack warning and we referred to fed law enforcement. https://t.co/ozlRL4SwhG
— Shane Huntley (@ShaneHuntley) June 4, 2020