Fancy Bear Group Uses Google Infastructure To Attack Gmail Users

fancy-bear-hackers-use-URL-shorteners (1)
Fancy Bear hackers are very clever about the way they exploit legitimate services

Various security researchers have uncovered a complicated campaign of disinformation and online hacking that hacked over two hundred Gmail users.

Russia is known for two things.

One, is that this country has the most number of nuclear missiles ahead of USA.

Two, is that Russia elected Trump to lead the United States of America for the next four years. Not the American people.

What doesn’t get as much media attention is Russian hackers.

They are all over the place it seems.

Recent reports in the media say that Russian hackers who work for the Russian government have figured out a clever little way to hack Gmail users.

That is, by using Google’s other services.

Russian hackers can use Google’s online services to hack Gmail accounts at will.

Of course, there are other techniques to hack Gmail users as well, but this seems to be the most counter-intuitive.

What does Google have that hackers can use to hack the company’s own customers?

Russian espionage campaigns are nothing new.

And that’s exactly what some researchers exposed last Thursday.

Russian hackers also complimented the espionage campaign with a disinformation campaign.

They used pre-designed emails to deceive users and make them give up their personal information such as passwords.

In the cyber security world, this technique goes by the name of phishing.

Throughout the duration of the campaign, Russian hackers targeted over two hundred email users.

All of them, later, became victims.

Researchers have also found out that Russian hackers targeted individuals who worked in the journalism industry.

THey also hacked activists who did not agree with some of the policies implemented by the Russian government.

Moreover, hackers targeted people with Ukrainian military affiliations along with officials of high rankings in global energy companies located all over the world.

The report which discusses more details about the Russian hack campaign came on the scene about a week ago.

Citizen Labs which is a digital rights research group at the University of Toronto Munk School of Global Affairs, had researchers look into the campaign.

These researchers managed to search for and then identify all email scam victims.

As it turns out, two of these phishing emails left behind some clues.

Researchers pounced on these clues to identify victims.

The two phishing emails used by the researchers were sent to a man named David Satter.

David Satter, is an academic who previously wrote Soviet and modern Russia.

He is also an American journalist.

Moreover, David is banned from  Russia for his work since 2014.


Russian Hackers And Otherwise Have Targeted Other People As Well

fancy-bear-hackers-use-URL-shorteners (2)
Some Google services are not secure.

Other prominent phishing attacks that people have witnessed have previously hacked individuals who had affiliations with the Hillary Clinton campaign.

That phenomenon eventually led to last year’s DNC leaks.

As most of us already know now, the email in those hacks did not originate from Google.

The hackers behind that email had a name.

That name was Fancy Bear.

They are also known as APT28.

Many investigators believe that this is the same group of hackers that works for the military intelligence agency in Russia, the GRU.

The Phishing Email Details

The phishing email usually starts off with the email telling the user to change his/her password.

In other words, the email comes with a link that has Change Password written on it.

This button also links to a short URL.

The URL is made via a link shortener service

Most of our readers will be familiar with Bitly, another link shortener service. is a Bitly competitor.

Russians hackers used clever techniques to disguise the Change Password button link as a genuine link.

How did they achieve that?

They used Google’s Accelerated Mobile Pages service. IN other words, they used AMP.

What is AMP?

AMP is a Google-hosted online service which is designed to make web pages load faster on mobile devices.

The product is especially aimed at publishers around the world.

How does AMP exactly work?

AMP, in practice, creates a simple copy of a given website’s page.

It hosts this copy on Google servers.

That’s all great.

But, AMP also tends to act as an open redirect.

Which is problematic according to security researchers at Citizen Lab.

The report from Citizen Lab said that Russian hackers made use of Google AMP to dupe email user targets.

This lead the email users to think that the “Change Password” email came from Google itself.

John Scott-Railton who is a senior researcher at Citizen Lab, in an interview with Motherboard, told the reporter that the hackers played a percentage game where the hackers may not get every email user to click on the phishing email.

He further said that hackers relied on these percentages to get to some of the users.

Hackers Don’t Want To Hack Everyone. But They Do Want To Hack Someone.

fancy-bear-hackers-use-URL-shorteners (3)
Hackers use disguised emails to trick Gmail users.

Hackers designed the button is such a way that if a victim hovered over the Change Password button in order to inspect the sent link, they would only see a URL that begins with something like

It is pretty safe to assume that most email users would trust this link as it seems to have come from Google.

Of course, the complete URL is followed by the tiny link shortener service we talked about before, Tiny.css.

The part of the URL is something that, according to Scott, most users do not bother to notice.

As an example, the complete sent phishing link could look something like this,

Hackers can then use Google’ very own online redirect service to bypass Gmail’s default filters which automatically protect users against cyber threats.

Cyber Threats such as malicious online messages and spam.

Now, perhaps we should also mention that Citizen Lab did not directly blame Fancy Bear as the instigator of this phishing email campaign.


Because Fancy Bear did not send the email.

It turns out, annaablony[@] sent the phishing mail to all targeted Gmail users.

Here is the thing though:

Fancy Bear used the same email address to register a domain name back in 2015.

That according to a new report from ThreatConnect, a security firm.

Russian hackers used another domain name in October cyber attacks.

Citizen labs exposed these and linked them back to Fancy Bear as well, according to a report from SecureWorks.

SecureWorks also tracked down the phishing email campaign that hacked the DNC and the Hillary Clinton presidential campaign last year.

Hackers Have Launched Multiple Phishing Scams Before And Are Likely To Launch Them Again In The Future As Well

There is one curious aspect about the whole situation:

Hackers launched the phishing email campaign that targeted Satter just a few days before the internet giant, Google, warned specific Russian activists and journalists about a possible attack.

Google warned these Russian journalists that the Russian government had backed some hackers.

And these hackers were constantly trying to target them via online services such as the malicious URL shortener links.

Most of us already know that hackers attacked Satter in October 2016.

What most of us don’t know that hackers targeted two hundred more individuals as well.

As we mentioned before, the hackers made use of Google AMP trick to fool email users.

Back then, the AMP technique worked flawlessly.

Google didn’t bother to block the exploit back then.

In fact, Google even has dismissed security concerns regarding open redirectors in the past as well.

The company representatives have argued that a small number of redirectors which are property monitored provide great benefits.

And that these redirectors pose very little real-world risk.

Last Thursday though, the representative from Google said something else.

Why Won’t Google Fix It’s Online Services To Provide Users With More Security?

A Google spokesperson told reporters that engineers at the company know about the Google AMP security issue for quite some time.

The spokesperson also said that as early as last year, Google AMP URLs began to show a warning message if Google systems detected that the link is not safe to open.

Users who want to see an example can go here.

Regardless, security researchers think that these links are still dangerous.

Nicholas Weaver, who is the senior researcher at the International Computer Science Institute at UC Berkeley, while talking to Motherboard via email, said that the Google AMP service’s behavior as an open redacted for desktop browsers had some problems.

Mainly that the hackers could abuse the Google AMP service in such previously-mentioned situations.

He also said that hackers could abuse the service in general as well because it was trivial to do so.

Weaver said, of course, that Google probably had these problems on purpose because they provided undoubted engineering tradeoffs that he did not know of but did cause the company to maintain the service as it is.

Apart From Google AMP, Are Other Google Services Secure?


The one thing we know for sure is that the whole Google infrastructure is huge.

And that’s why Google redirectors are unlikely to be the only Google service that has these flaws.

There is no telling that hackers belonging to the Fancy Bear group might have taken advantage of other Google services as well.

As far as this phishing scam goes, researchers at Citizen Lab also found a URL, shortened via Tiny.css, that targeted another email address:


According to some other security researchers, Fancy Bear used this email address to test their own cyber attacks before “officially” launching them in the wild.

If one makes his/her way to the Google Plus age associated with that email address, the page is populated with real and legitimate images that Gmail uses to inform Gmail users of any security alerts.

Though, at this moment in time, researcher don’t know the exact use of these images.

Or if the hackers indeed used this images from the start.

The obvious use of these images is simple:

Attach these images to phishing messages and then sent to Gmail users.

Some researchers suspect that this is exactly what hackers did with these images.

They tricked users by embedding these “real” images in phishing emails.

But you can’t really fault the Gmail user community on this.

Because it is Google who hosts these images on Google Plus.

And hackers used this fact to thwart Gmail security controls that help keep spam and phishing emails at bay.

Fancy Bear Hackers Are Celebrities In The Underworld

fancy-bear-hackers-use-URL-shorteners (4)
The fancy Bear hacking group also hacked Clinton’s presidential campaign.

The Fancy Bear hacking group is popular.

It is popular because of the way it carries out its phishing scams.

Mostly that the group uses URL shorteners in all its big and rather high-profile hacking campaigns.

But URL shorteners aren’t themselves reliable either.

Sometimes, these services don’t work.

Hackers get confused and their nefarious plans are revealed because the URL shortening service malfunctions.

Whenever this scenario takes place, it is easy to tell who the hackers targeted in their scam campaigns.

AS indicated before, the Fancy Bear group also targeted the Hillary Clinton campaign.

They did so in the period between March 2015 and May 2016.

This is, of course, just a small part of their overall operations.

Fancy Bear hackers hacked John Podesta who served as the chairman of Hillary Clinton’s campaign.

These hackers also hacked Colin Powell, former National Security Advisor.

Overall, Fancy Bear hackers targeted over 6000 people.

The hacking groups used over 19,000 phishing links to trap individuals.

A few of those phishing links used Bitly service to shorten the actual phishing URL.

Bitly URLs aren’t known for their security or anonymity.

In other words, URLs which are shortened by Bitly are vulnerable to decoding.

Security researchers can then easily figure out who Fancy Bear hackers targeted with these phishing emails.

More Similar Cases

Citizen Lab security researchers also found and identified victims via a specific pattern.

URL shortening services used this pattern to create short URLs.

Security researchers at Citizen Labs figured out this pattern.

Adam Hulcoop a research fellow explained to a Motherboard reporter that the URL pattern was chronological in nature.

This fact allowed researchers to start their study from the links hackers sent to Satter.

Then the researchers guessed on other links that hackers created at similar times.

Of course, no one knows why hackers continue to rely on URL shortening services such as or Bitly.

After All, these services do end up exposing them and parts of their malicious operations.

But researchers only find this out months after the scam has taken place.






Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.