Google says a Chinese-backed hacking group exploited Google Calendar to infect government agencies with malware.
Google Threat Intelligence explained Wednesday in a blog post that its researchers discovered the suspicious activity in October. They found an exploited U.S. government website used to host malware, dubbed “TOUGHPROGRESS” by the company.
Google says the malware was ultimately delivered through spear-phishing emails containing bogus files.
“APT41 sent spear phishing emails containing a link to the ZIP archive hosted on the exploited government website. The archive contains an LNK file, masquerading as a PDF, and a directory. Within this directory we find what looks like seven JPG images of arthropods,” the blog post reads. “When the payload is executed via the LNK, the LNK is deleted and replaced with a decoy PDF file that is displayed to the user indicating these species need to be declared for export.”
Google asserted with “high confidence” that the China-based hacking group APT41 was behind the malware operation.
The malware took advantage of Google Calendar for command and control (C2). Once the malware payload was delivered, the hackers gained access to a user’s Google Calendar and could read and write events. TOUGHPROGRESS then creates a hard-coded calendar event containing data collected from the host and encrypts it.
The hackers then use the malware to decrypt the data before encrypting it again and writing it into a different calendar event.
Since discovering the threat, Google Threat Intelligence developed custom “fingerprints” to identify and eliminate the hacker-controlled calendars. According to Google, its engineers have safely eliminated APT41’s hacking infrastructure and added domains and URLs used by the hackers to Google’s Safe Browsing blocklist.
Google explained that APT41 is a dangerous and international hacking group whose targets include governments and private companies in the automotive, entertainment and technology fields.
In 2020, the Department of Justice accused seven individuals of participating in a Chinese-backed hacking ring. The group included five Chinese nationals and two Malaysians, who the Justice Department said installed software backdoors at technology companies that allowed them to collect data.
“We’re here today to tell these hackers and the Chinese government officials who turned a blind eye to their activity that their actions are once again unacceptable, and we will call them out publicly,” then-FBI Deputy Director David Bowdich said in 2020.
