A Google hacking team has exposed — and shut down — an expert counterterrorism hacking operation by a supposed US ally. While the report hid most details, it raised troubling questions on what constitutes an ally in cyberspace.
The tech giant’s Project Zero and Threat Analysis Group hacking teams uncovered and ultimately put an end to a counter-terrorism operation being run by a US ally, according to MIT Tech Review, which detailed the internal struggle at Google over whether to publicize the incident and what it implied for future cyber-espionage (apparently, all’s fair in love, war, and malware attacks).
Both Project Zero, which uncovers and exposes security vulnerabilities, and Threat Analysis Group, which tracks hacks believed to be run by governments, helped take down the “friendly” malware attack, which weaponized 11 zero-day vulnerabilities in the course of nine months. A zero-day vulnerability is a flaw that the software’s creator and user are unaware exists, a security issue that can be used as a backdoor and otherwise exploited until it is discovered.
Cropping up 11 times in nine months – more frequently than a typical zero-day exploit – the attack targeted devices powered by iOS, Android, and Windows. The exploits were innovative (MIT described them as “never-before-seen techniques”) and used infected websites as “watering holes” to deliver malware to unfortunate visitors. The infection process had been ongoing since early 2020.
MIT revealed on Friday that the hackers running the scheme were “actually Western government operatives actively conducting a counter-terrorism operation,” an unusual revelation given that tracing hacks to state-level actors is not the easy-to-grasp, cut-and-dried operation that US cybersecurity firms like CrowdStrike and FireEye like to describe when they speak with reporters.
Indeed, while Google’s Threat Analysis Group attributes hacks to states, Project Zero does not, though private security companies have been working on the capability to reliably “link hostile actions with foreign actors” for the last decade – an ability that has recently become more reliable, according to a RAND Corporation paper published in September.
Indeed, Google seems to have only been told it was a counter-terror op in an effort to convince it to allow the hack to continue. Instead, the Google teams went ahead and squelched the attack, in a move that reportedly “caused internal division at Google,” as well as “rais[ing] questions inside the intelligence communities of the United States and its allies.”
While Google managed to get the hack shut down, its announcement released vanishingly few details about the attack itself – who was responsible for the hack, who was the target, and certain technical aspects of the malware and its hosting were left out in a manner that is considered highly atypical for a release by the Google teams, whose work is relied-on and revered across the industry.
The decision appeared to be a compromise between the two Google teams, under the justification that even if the ‘good guys’ were running the hack to nab terrorists now, the 11 separate zero-day vulnerabilities Google had found them using over the past year would ultimately end up in the hands of the ‘bad guys.’ Better, then, to shut it down and keep the entire internet safe than to aid and abet criminals, whether they’re operating in the future or the present.
While cybersecurity teams regularly stumble over one another’s work in the process of patrolling their governments’ networks, certain policies could help decipher who the culprit in this particular instance might have been. The Five Eyes alliance – the US, UK, Canada, Australia, and New Zealand – have a gentlemen’s agreement not to report hacking operations as long as both the security team and the hackers they’ve tripped over are friendlies, and the US in particular avoids uprooting its own operations in progress.
However, while the US considers Israel its top ally in the Middle East, the National Security Agency and CIA have reportedly both previously designated that country as *the* top spy threat to the US.
Perhaps most shocking is the implication that Google – a private company – can hold its own, national-security-wise, against whichever state sought to continue this counter-terror op without the tech giant spilling the beans to the world. A former senior US official made the point that not all hackers, even state-level powers, were in a position where they could so easily regenerate the kind of exploit capability Google would have shut down by revealing the vulnerability.
“The idea that someone like Google can destroy that much capability that quickly is slowly dawning on folks,” he said.