Google, whose users have been frequent targets of suspected attacks by foreign governments, is deploying a new warning system for users who may be victims of those kinds of attacks. The new system is in addition to existing warnings that Google will show Gmail users when their accounts may have been accessed by attackers.
Gmail users have been on the receiving end of a number of known attacks, including the infamous Google Aurora attack that has been blamed on China. Part of that operation was aimed at a specific subset of Gmail users, including Chinese dissidents and journalists. Now, Google says it will warn users about exactly the kind of activity that resulted in that compromise. The company says it always is looking for potentially state-sponsored attacks on its own networks and will provide users with the benefit of that monitoring.
“Today, we’re taking that a step further for a subset of our users, who we believe may be the target of state-sponsored attacks. If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware for example, and that you should take immediate steps to secure your account,” Google’s Eric Grosse, VP of security engineering, said in a blog post.
“Here are some things you should do immediately: create a unique password that has a good mix of capital and lowercase letters, as well punctuation marks and numbers; enable 2-step verification as additional security; and update your browser, operating system, plugins, and document editors. Attackers often send links to fake sign-in pages to try to steal your password, so be careful about where you sign in to Google and look for https://accounts.google.com/ in your browser bar. These warnings are not being shown because Google’s internal systems have been compromised or because of a particular attack. “
The ability for Google to show this kind of warning to users obviously means that the company has the capability to identify attacks that it believes are coming from foreign governments–or their hired guns. Identifying attackers by their source IP address is a notoriously inaccurate method and even that basic method would only provide a general geographic location and no information on the attacker’s intent or affiliation. Google could be using that as a starting point, however, and extending it to include the identification of traffic from known-bad IP blocks.
Google, of course, isn’t interested in discussing the details of its detection methods.
“You might ask how we know this activity is state-sponsored. We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored,” Grosse said.
Google has been providing warnings to users about potential unauthorized activity on Gmail accounts for some time now, prompting users to change their passwords or take other measures. Those warnings are based on access to accounts from IP address locations that seem to be outside the user’s normal behavior pattern.