Google says it has recently warned thousands of people that had been targeted by government hackers.

Data from Google’s Threat Analysis Group (TAG) showed that between July and September this year, it warned users across 149 countries that they were targeted by government-backed attackers. Most were based in America and 90% were targeted with phishing emails trying to steal users’ login details for Google accounts.

However, Google said the data was consistent with the number of warnings sent in the same period of 2018 and 2017.

TAG works to counter targeted and government-backed hacking against Google and the company's users. It tracks more than 270 targeted or government-backed groups from more than 50 countries. These groups have many goals including intelligence collection, stealing intellectual property, targeting dissidents and activists, destructive cyber attacks, or spreading coordinated disinformation. Google uses the intelligence it gathers to protect Google infrastructure as well as users targeted with malware or phishing.

Over 90 percent of these users were targeted via “credential phishing emails.” These are usually attempts to obtain the target’s password or other account credentials to hijack their account. Google encourages high-risk users—like journalists, human rights activists, and political campaigns—to enroll in the company's Advanced Protection Program (APP), which utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings. APP is designed specifically for the highest-risk accounts.

Last week at CyberwarCon, Google presented analysis about previously undisclosed campaigns from a Russia-nexus threat group called “Sandworm” (also known as “Iridium”). It’s an example of the type of detailed threat detection work that TAG does. Although much of Sandworm’s activity targeting Ukraine and their attacks against the 2018 Winter Olympics have been covered publicly, some campaigns have not been reported.

In December 2017, TAG discovered a series of campaigns from Sandworm attempting to deploy Android malware. The first campaign targeted users in South Korea, where Sandworm was modifying legitimate Android applications with malware. They then uploaded these modified apps to the Play Store using their own attacker-controlled developer accounts. During this campaign, Sandworm uploaded eight different apps to the Play Store, each with fewer than 10 total installs.

TAG also identified an earlier September 2017 Android campaign from Sandworm where they used similar tactics and deployed a fake version of the UKR.net email app on the Play Store. This application had approximately 1,000 total installs.

In November 2018, Google saw evidence that Sandworm shifted from using attacker-controlled accounts to try and upload malicious apps to compromising legitimate developers. Throughout November, Sandworm targeted software and mobile app developers in Ukraine via spear phishing emails with malicious attachments. In at least one case, they compromised an app developer with several published Play Store apps—one with more than 200,000 installs.

After compromising the developer, Sandworm built a backdoor in one of the legitimate apps and attempted to publish it on the Play Store. They did this by adding their implant code into the application package, signing the package with the compromised developer’s key, and then uploading it to the Play Store. However, the Google Play Protect team caught the attempt at the time of upload. As a result, Google says no users were infected.

TAG also recently took action against Russia-affiliated influence operations targeting several nations in Africa. The operations use inauthentic news outlets to disseminate messages promoting Russian interests in Africa. Targeted countries included the Central African Republic, Sudan, Madagascar, and South Africa, and languages used included English, French, and Arabic.

In addition, TAG identified a campaign targeting the Indonesian provinces Papua and West Papua with messaging in opposition to the Free Papua Movement. Google terminated one advertising account and 28 YouTube channels.