I don’t like this new thing where I’m going about my own damn business and suddenly end up on the front lines of the hybrid war, but that’s the cyberpunk dystopia we live in now. Like nearly everyone inside the Beltway, my workplace got hit with the Google Docs OAUTH worm yesterday afternoon around 1500. Thanks to Zeynep Tufekci’s efforts on Twitter, I was wise to it well before we actually saw one, and I managed to head my idiot comrades off from clicking on any of them. I found myself speculating wildly this morning in a Twitter thread, but that’s the rankest Jeet-Heerishness so I’m hopping over to the blog where this belongs. If you don’t know what an OAUTH phish is, read this.
It’s much too early for attribution, of course, but last time something like this happened, it came from APT28, who, as you may recall from my It Was The Russians attribution roundup post a few weeks ago, are the Russians. While I should probably wait for further information from those who saw the landing page while there was still a domain to WHOIS, I’m inclined to believe this was intel collection— not necessarily from Moscow— until we have some negative confirmation. What little I’ve seen of the WHOIS data (Google nuked everything before I got to clap eyes on the genuine article) shows the domains were all registered before TrendLab’s report on APT28’s use of faux-Google OAUTH exploits. The apparent targets are consistent with the intel theory, as is the technique, if you look at it from a spyish angle instead of a hackish one.
The best argument against a state-level actor is that the phish was a dragnet. Past OAUTH worms and other phishing campaigns from APT28 and Friends have overwhelmingly been spearphishes. By contrast, this looks to many people like it could be a bunch of rubes looking to make a buck.
Tell me another one.
The targets involved were media, feds, NGOs, contractors, and apparently academia. The business sector only seems to have caught it second hand. This is consistent with the interests of an intelligence service, but not with financial motives. It’s still unclear where it began, but according to the above Gizmodo article, EFF thinks it may have started at Buzzfeed. My own first hint of incoming fire was chatter early yesterday afternoon about a Google docs phish affecting journalists and media companies. I put out some feelers and started hearing about it directly from friends in politics and the media around 1400 yesterday. In DC it spread fast, like the bubonic plague-themed illustration of exponential growth that my middle school algebra teacher put on for the edification and amusement of a bunch of morbid eighth graders, hopping from journalists onto government networks and thence to NGOs and the private sector. The ones I saw all came from a compromised address at USAID.
Then, the hard part of a spearphish is the intel-gathering that has to happen beforehand. Public-facing social media will only tell you so much. You’re not going to find out about a journalist’s confidential sources there, and many feds avoid realname social media entirely, because of the inherent opsec problem. If only there was an easy way to map social networks in Washington so you could narrowly focus your OSINT efforts on the likeliest victims.
Enter a malicious Google app that siphons up your contacts and blasts itself out to your entire network. That Mailinator address, presumably intended to detect whether the messages sent successfully, was CCed for every single hop the phish made between accounts. Someone has that full dataset somewhere, even though Google nuked the app and the related domains, and is making it into a lovely network graphic with pretty colors and all.
As a phish searching for financial data, this campaign isn’t the greatest: it doesn’t catch any credentials that could be checked against banks or other accounts, and there doesn’t seem to have been a malware payload besides the mischievous app. As a way to map networks and gather intelligence for a more sophisticated spearphishing campaign while looking like stupid crime, it’s brilliant. So if there’s another, more subtle round of OAUTH spearphishes hitting intel targets any time soon, you’ll find me at a corner table at the Hamilton in the most disreputable clothes I own, inhaling cocktails and looking smug.