Google Warning Users About State-Sponsored Attacks

Google, whose users have been frequent targets of suspected attacks by foreign governments, is deploying a new warning system for users who may be victims of those kinds of attacks. The new system is in addition to existing warnings that Google will show Gmail users when their accounts may have been accessed by attackers.

Google, whose users have been frequent targets of suspected attacks by foreign governments, is deploying a new warning system for users who may be victims of those kinds of attacks. The new system is in addition to existing warnings that Google will show Gmail users when their accounts may have been accessed by attackers.

Gmail users have been on the receiving end of a number of known attacks, including the infamous Google Aurora attack that has been blamed on China. Part of that operation was aimed at a specific subset of Gmail users, including Chinese dissidents and journalists. Now, Google says it will warn users about exactly the kind of activity that resulted in that compromise. The company says it always is looking for potentially state-sponsored attacks on its own networks and will provide users with the benefit of that monitoring.

Today, we’re taking that a step further for a subset of our users, who we believe may be the target of state-sponsored attacks. If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware for example, and that you should take immediate steps to secure your account,” Google’s Eric Grosse, VP of security engineering, said in a blog post.

“Here are some things you should do immediately: create a unique password that has a good mix of capital and lowercase letters, as well punctuation marks and numbers; enable 2-step verification as additional security; and update your browser, operating system, plugins, and document editors. Attackers often send links to fake sign-in pages to try to steal your password, so be careful about where you sign in to Google and look for https://accounts.google.com/ in your browser bar. These warnings are not being shown because Google’s internal systems have been compromised or because of a particular attack. “

The ability for Google to show this kind of warning to users obviously means that the company has the capability to identify attacks that it believes are coming from foreign governments–or their hired guns. Identifying attackers by their source IP address is a notoriously inaccurate method and even that basic method would only provide a general geographic location and no information on the attacker’s intent or affiliation. Google could be using that as a starting point, however, and extending it to include the identification of traffic from known-bad IP blocks.

Google, of course, isn’t interested in discussing the details of its detection methods.

You might ask how we know this activity is state-sponsored. We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored,” Grosse said.

Google has been providing warnings to users about potential unauthorized activity on Gmail accounts for some time now, prompting users to change their passwords or take other measures. Those warnings are based on access to accounts from IP address locations that seem to be outside the user’s normal behavior pattern. 

Suggested articles

Discussion

  • Anonymous on

    Since New York Times recently reported that Stuxnet is a US State Sponsored Cyber virus - which if you recall was accidentally released into the wild and affected and attacked innocent end-user machines as collateral damage, and with the ongoing US-Israeli state sponsored cyber warfare weapons of mass destruction (operation Olympic Games) including the more recent releases of Duqu and Flame virus.... can Google clarify if through its detailed analysis as well as victim reports if Google will apply the same exacting standards and warn end-users (both in the US and abroad, example: Iranian users) of these domestic (US) state sponsored attacks as well? Or are exceptions of convenience made in these cases due to the close ties that Google has with the US intelligence agencies and the confirmed but secret and classified collaboration that the Google has with the CIA and NSA in regards to GMail and Google Accounts? No doubt there is a clear conflict of interest going on here. To me this smells more like Google catering to State Sponsored Propaganda than really caring about the security and privacy of their end-users. 

  • Anonymous on

    Maybe because Google is a U.S. company and Iran is hostile toward the U.S.?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.