Google Blocked Russian Government Phishing Emails Targeting 14,000 Users

The company said it blocked an unusually high number of phishing emails from the hacking group known as APT28 or Fancy Bear.
Image: Leon Neal/Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

On Wednesday, Google alerted approximately 14,000 users that they had been targets of Russian government sponsored hackers, according to a company employee.

Shane Huntley, the head of the Threat Analysis Group or TAG, Google's anti-hacker team, wrote on Twitter that his team had sent an "above average batch" of warnings. 


"These warnings indicate targeting NOT compromise. If we are warning you there's a very high chance we blocked," Huntley wrote in a thread on Thursday. "The increased numbers this month come from a small number of widely targeted campaigns which were blocked."

In a statement sent by a Google spokesperson, Huntley said that the warnings were related to a recent phishing campaign "targeting a large volume of Gmail users" by APT28, the Russian government hacking group responsible for some of the most high profile hacks of the last few years, including the hack on the Hillary Clinton campaign and the Democratic National Committee in 2016. 

Have you received one of these warnings recently? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at, or email

"100% of these emails were automatically classified as spam and blocked by Gmail," Huntley said in the statement. "As we always do, we sent those people who were targeted government backed attacker warnings. 

Google has been sending these types of warnings since 2012. In a 2018 blog, Huntley explained Google's approach when it comes to sending these warnings. The idea is to tell "a small minority of users in all corners of the world" that they are being targeted by government hacking groups such as APT28 or others. At the time, Huntley said that Google shows "thousands of these warnings every month."


In other words, government hacking groups targeting Google users is now part of life on the internet. But the volume in this case, and the fact that the 14,000 users were all targeted by one group is what stands out. Moreover, the campaign was global and targeted a broad group of people, including journalists, and members of different NGOs and think tanks, according to Google. 

"This particular campaign comprised 86% of the batch of warnings we sent for this month," Huntley said in the statement. 

That's the bad news: Russian government hackers are ramping up their attacks. The good news: Google is catching them, blocking the phishing emails, and alerting the targets. The company's goal is to make people aware that they are targets, while also encourage them to increase their defenses, such as using security keys instead of SMS or other less secure forms of multi-factor authentication, or enrolling in the company's Advanced Protection Program.

"So why do we do these government warnings then?" Huntley said. "The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions."

A tech worker from the US told Motherboard that they had received the warning on Wednesday.


The warning that the US tech worker received on Wednesday. (Image: Motherboard)

"I was mildly alarmed," the worker, who asked to remain anonymous as he didn't want to attract more attention from hackers, told Motherboard in an online chat. 

The worker said he was surprised to get the warning, as he doesn't think he does any sensitive work that would be interesting to government hackers. It's worth noting that this worker may not have been targeted in one of the campaigns led by APT28, but some other government hacking group since Google said not all the notifications they sent were related to Russian government hackers. 

"I'm a nobody," he said. "Definitely no fan of Putin's Russia, but I can't imagine it'd be worth targeting small fry like me."

This story was updated to add quotes from the anonymous tech worker who received the warning.

Subscribe to our new cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.