Was the Google Phishing / Oauth Attack a Russian Pawn Storm Operation?
Wednesday, May 3rd, there was a massive phishing attack coming from valid Google Gmail accounts that hit people's inboxes worldwide. It was a simple email asking people to click on a link to open up an online Google Doc that the sender was sharing with them.
We received one of these emails at about 1:30 pm central time and were notified by numerous people across a range of locations and businesses that they had also received a similar email.
After analyzing a few of these emails it was clear it was some type of malicious phishing attempt. We would later have a better understanding of the simplicity and sophistication of this attack.
After warning our clients we posted this warning on Twitter at 2:30 pm. This tweet was retweeted 139 times and viewed by over 50,000 people. Many others had already taken to Twitter to post similar warnings and word got out really fast.
Within a few hours Google had made their first statement saying the malicious content and redirect domains had been shut down. Nevertheless many accounts were compromised in those first couple of hours.
Google later put out a second statement that said the phishing campaign was halted "within approximately an hour" and that it "affected fewer than 0.1% of Gmail users." Given Gmail has around 1 billion users that is still a very significant 1 million victims. Many question whether the attack was really completely shut down within an hour and think it was more likely closer to two hours. Nevertheless, it was taken down very quickly and yet it is amazing to think how effective the viral propagation of this email was to have caused this much havoc in only a couple of hours. We will discuss the viral propagation of this attack in a subsequent technical analysis on the data retrieved from this attack.
What made this attack especially sinister is that it harnessed legitimate Google infrastructure. The hack used a malicious Google app which was legitimately signed with the appropriate API connections and client ID but was apparently not properly vetted and thus allowed to exist on Google's infrastructure. This app was also for some reason allowed to be called "Google Docs" even though it clearly was not created or signed by Google. Thus, other than the strange "hhhhhhhhhhhhhhhh(at)mailinator.com" email address used in the to: field there were no other tell tale signs of a fake phishing email attack and this email easily made it through many security filters and company firewalls.
Briefly, how it worked is that the phishing e-mail, that likely came from someone you already knew, appeared in your inbox and the sender asked that they share a Google Doc with you. If you took the bait and clicked on the Google Docs icon you would be redirected to the very real and legitimate OAUTH2 service on accounts.google.com. There you would get another real Google screen asking you if you wanted to allow "Google Docs" permission to access your account, including your Gmail. If you granted permission the real fireworks would begin and the hackers would now have access to your contacts and Gmail account via what is called an OAUTH attack. What makes this unique is that once they had this access (which you granted) changing your password no longer mattered. They essentially had access to your account independent of your password. To fully protect yourself you needed to go into your Google security settings and remove the permissions you granted to the malicious "Google Docs" app. Google provided a simple link here (https://myaccount.google.com/u/0/permissions?pli=1) that makes it easier to accomplish this. Much of the early advice was just telling people to reset their passwords which we now know was insufficient.
A number of twists and turns have occurred around this story in the past 24hrs since it broke and it may be some time before the intentions and actors involved become more apparent. What is very interesting to us is the fact that just last week Trend Micro published a two year long study on the mysterious Russian hacking group Cozy Bear. This is the same group that hacked the DNC. One of the methods they highlighted in the report that Cozy Bear uses, was exactly this type of OAUTH attack that was seen yesterday on Google Gmail users. Check out this Trend Micro report published April 25th, 2017 and titled "From Espionage to Cyber Propaganda: Pawn Storm's Activities over the Past Two Years" and pay special attention to pages 21 and 22 of the report.
So the big question is could yesterday's Google phishing / OAUTH attack have been done by the Russian intelligence hacker group Cozy Bear and what was the significance of yesterday?