“Google’s top security teams unilaterally shut down a counterterrorism operation”
MIT Technology Review, March 26, 2021
by Patrick Howell O’Neill
“The decision to block an “expert” level cyberattack has caused controversy inside Google after it emerged that the hackers in question were working for a US ally.”
Google runs some of the most venerated cybersecurity operations on the planet: its Project Zero team, for example, finds powerful undiscovered security vulnerabilities, while its Threat Analysis Group directly counters hacking backed by governments, including North Korea, China, and Russia. And those two teams caught an unexpectedly big fish recently: an “expert” hacking group exploiting 11 powerful vulnerabilities to compromise devices running iOS, Android, and Windows.
But MIT Technology Review has learned that the hackers in question were actually Western government operatives actively conducting a counterterrorism operation. The company’s decision to stop and publicize the attack caused internal division at Google and raised questions inside the intelligence communities of the United States and its allies.
A pair of recent Google blog posts detail the collection of zero-day vulnerabilities that it discovered hackers using over the course of nine months. The exploits, which went back to early 2020 and used never-before-seen techniques, were “watering hole” attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts thanks to their scale, sophistication, and speed.
Google’s announcement glaringly omitted key details, however, including who was responsible for the hacking and who was being targeted, as well as important technical information on the malware or the domains used in the operation. At least some of that information would typically be made public in some way, leading one security expert to criticize the report as a “dark hole.”
“Different ethical questions”
Security companies regularly shut down exploits that are being used by friendly governments, but such actions are rarely made public. In response to this incident, some Google employees have argued that counterterrorism missions ought to be out of bounds of public disclosure; others believe the company was entirely within its rights, and that the announcement serves to protect users and make the internet more secure.
“Project Zero is dedicated to finding and patching 0-day vulnerabilities, and posting technical research designed to advance the understanding of novel security vulnerabilities and exploitation techniques across the research community,” a Google spokesperson said in a statement. “We believe sharing this research leads to better defensive strategies and increases security for everyone. We don’t perform attribution as part of this research.”
It’s true that Project Zero does not formally attribute hacking to specific groups. But the Threat Analysis Group, which also worked on the project, does perform attribution. Google omitted many more details than just the name of the government behind the hacks, and through that information, the teams knew internally who the hacker and targets were. It is not clear whether Google gave advance notice to government officials that they would be publicizing and shutting down the method of attack.
About the Author:
Patrick Howell O’Neill is the cybersecurity senior editor for MIT Technology Review. He covers national security, election security and integrity, geopolitics, and personal security: How is cyber changing the world? Before joining the publication, he worked at the Aspen Institute and CyberScoop covering cybersecurity from Silicon Valley and Washington DC.
- Google Project Zero: “Introducing the In-the-Wild Series“
- Google Project Zero: “In-the-Wild Series: October 2020 0-day discovery“