Application security, Threat Intelligence, Malware

Google to warn users if hackers are state sponsored

Google announced Tuesday that it will begin warning Gmail users if they are being targeted by state-sponsored attacks in hopes that they can take "immediate steps" to secure their accounts.

Adversaries who are state-sponsored typically launch sophisticated, well-funded attacks at their targets with the goal of stealing sensitive information, often used for spying purposes. More than two years ago, Google itself was the target of an espionage campaign, believed to have been orchestrated by state-backed Chinese hackers.

"We are constantly on the lookout for malicious activity on our systems, in particular attempts by third parties to log into users' accounts unauthorized," Eric Grosse, vice president of security engineering at Google, wrote in a blog post. "When we have specific intelligence -- either directly from users or from our own monitoring efforts -- we show clear warning signs and put in place extra roadblocks to thwart these bad actors."

The alert will show up as a pop-up below the Google navigation bar. It would state: "We believe state-sponsored attackers may be attempting to compromise your account or computer."

Privacy researcher Chris Soghoian praised Google for the new functionality, which complements other free security efforts put forth by the tech giant, including malware download warnings, multifactor authentication in Gmail and HTTPS by default. He said he is curious how deep into the Google portfolio, which includes the Chrome browser and Android operating system, this new visibility will extend.

"Google is better than the norm," Soghoian told SCMagazine.com on Tuesday. "Most companies don't tell you when there's any suspicious activity on your account. This is something users usually expect from credit card companies."

“I think this only serves to create more concern on behalf of the Google customer.”

– Jeffrey Carr, founder and CEO of Taia Global

If users receive the warning, Grosse recommended that they immediately take certain precautions, including creating a complex password, enabling two-factor authentication and ensuring their operating system and software is updated with the latest patches.

Still, Soghoian said Google can only do so much to protect its users against something as stealthy and dedicated as a state-sponsored attack.

"There's only so much you can do when you literally have an army trying to get into your inbox," he said. "It's not a fair fight."

For Jeffrey Carr, founder and CEO of Taia Global, a cyber security firm, the news from Google raised more questions than answers.

"I think this only serves to create more concern on behalf of the Google customer," Carr said. "It just feels like there is some marketing edge to this."

Among his holdups, Carr wondered how Google could determine whether something is state-sponsored, especially considering most attack types spread by tricking users into clicking on a malicious email link or attachment.

"I don't understand what the motivation is," he told SCMagazine.com on Tuesday. "It's impossible for them to say this was state-sponsored because spear phishing is done by everyone."

Ron Deibert, professor of political science and director of The Citizen Lab at the Munk School of Global Affairs at the University of Toronto, raised similar doubts that Google could definitively pinpoint an attack as state sponsored.

"How [do] they determine attribution, which is an extraordinarily tricky question?" he told SCMagazine.com.

Google remained coy: "You might ask how we know this activity is state-sponsored," Grosse wrote. "We can't go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis -- as well as victim reports --strongly suggest the involvement of states or groups that are state-sponsored.

Carr and Deibert also questioned whether Google would offer the same warning to its users if it believed they were being targeted by a U.S.-sanctioned cyber attack. On Friday, a New York Times story revealed that President Obama ordered the use of the Stuxnet worm to set back Iran's nuclear program.

Soghoian agreed, saying Google's relationship with the National Security Agency, which reportedly worked with Google following the Chinese attacks, known as Operation Aurora, likely would be soiled if it tipped someone off about a U.S.-led attack.

A Google spokesman declined to comment on the record.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.