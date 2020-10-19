With November 3 just around the corner, the day of the USA 2020 Elections for the presidency of the country is getting closer and closer. And to avoid a repeat of the 2016 scandal, in which foreign ‘actors’ played important roles in disrupting the free democratic process thanks to their cyberattacks, giants like Facebook are seeking to shield themselves.

But, just a couple of weeks away, things are not easy, because it seems that half the world is trying to torpedo, or at least cyberfast, the process.

Google TAG

For those of you who don’t know, Google has a special team called TAG, Threat Analysis Group, a specialized team of security experts that works to “identify, report and stop government-backed phishing and hacking against Google and the people who they use our products ”. The TAG works with Google products to identify new vulnerabilities and threats. And from time to time they share “our latest findings and threats” on their official blog.

Looking ahead to the next US elections, the TAG has been identifying for months attempted ‘phishing’ attacks around the US presidential elections by groups of Iranian and Chinese cyberactivists, which in the case of the latter have even reached to impersonate McAfee antivirus.

Iraq and China against democracy USA

In June, the team reported the detection of phishing attempts against the personal email accounts of Biden and Trump campaign employees by the Chinese and Iranian APTs (Advanced Persistent Threats) respectively. The Iranian group of attackers (APT35) and the group of Chinese attackers (APT31) targeted the personal emails of campaign employees with phishing emails with credentials and emails containing tracking links.

The TAG assures that “we have not seen any evidence that such attempts have been successful. As part of our broader monitoring of APT31 activity, we have also seen them deploy targeted malware campaigns. ” In fact, one APT31 campaign was based on sending emails with links that ultimately downloaded malware hosted on GitHub. The malware was an implant based on Python – a high-level programming language – used by Dropbox to handle it, which would allow the attacker to upload and download files, as well as execute arbitrary commands.

Every malicious piece of this attack was hosted on legitimate services, making it difficult for digital protection software to rely on network signals for detection. In fact, in one of the examples the attackers posed as the well-known McAfee antivirus. The goal was to encourage a legitimate version of McAfee antivirus software to be installed from GitHub, while the malware was simultaneously and silently installed on the system.



