Google warns journalists and professors: Your account is under attack

Google is warning prominent journalists and professors that nation-sponsored hackers have recently targeted their accounts, according to reports delivered in the past 24 hours over social media.

The people reportedly receiving the warnings include Nobel Prize-winning economist and New York Times columnist Paul Krugman, Stanford University professor and former US diplomat Michael McFaul, GQ correspondent Keith Olbermann, and according to this tweet, Politico, Highline, and Foreign Policy contributor/columnist Julia Ioffe; New York Magazine reporter Jonathan Chait; and Atlantic magazine writer Jon Lovett. Reports of others receiving the warnings are here and here. Many of the reports included banners that Google displayed when account holders logged in. Ars spoke to someone who works for a well-known security company who also produced an image of a warning he received. The person said he was aware of a fellow security-industry professional receiving the same warning.

One of the red banners included large white text that stated: "Warning: Google may have detected government-backed attackers trying to steal your password." It included a link that led to advice for securing accounts. Some of the people who received the warning reported their accounts were protected by two-factor authentication, which requires a piece of cryptographic hardware or a one-time password that's sent through a mobile device. Google has been sending warnings of nation-sponsored hacking attempts since 2012.

A Google spokesman, citing this overview of the warnings, said it's possible that the recent flurry may refer to hacking attempts that happened over the past month, as opposed to events that occurred more recently. He said Google officials deliberately delay warnings to prevent those behind the attacks from learning researchers' sources and methods for detecting the attacks. The delays apply only to attack attempts, rather than cases where attacks result in a successful account takeover.

Assuming the warnings concern older attacks, it's possible they stem from a spear phishing campaign that security firm Volexity tied to Russian government hackers. Company researchers said the campaign began a few hours after Donald Trump won the US presidential election on November 8 and targeted non-governmental organizations and think tanks. The hackers had ties to one of the groups behind breaches of the Democratic National Committee. As Ars IT Editor Sean Gallagher reported:

According to Volexity's data, the threat group sent e-mails from purpose-built Gmail accounts and what may be a compromised e-mail account from Harvard University's Faculty of Arts and Science. The phishing e-mails dropped a new variant of backdoor malware dubbed "PowerDuke" by Volexity, and this malware gave attackers remote access to compromised systems. Volexity has been tracking a number of campaigns based on PowerDuke since August, when some "highly targeted" malicious e-mails were sent to individuals at a number of policy research organizations in the US and Europe. The e-mails were disguised as messages from the Center for a New American Security (CNAS), Transparency International, the Council on Foreign Relations, the International Institute for Strategic Studies (IISS), and Eurasia Group. Another wave of similar e-mails targeted universities in October.

The latest round of e-mails, sent out on November 8 and 9, "were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies," Adair wrote. "Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving insight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to the election’s outcome being revised or rigged. The last attack claimed to be a link to a PDF download on 'Why American Elections Are Flawed.'"

It's not certain that the PowerDuke campaign and the flurry of Google warnings are connected, but there are enough similarities to entertain the possibility. Ars reached out to most of the people who reported getting the warnings, but didn't receive a response before this post went live.