Security Experts:

Don’t Panic Over Google’s Latest State-sponsored Attack Warnings

Google: "Tens of Thousands of Users" Will See New State-sponsored Attack Warnings

On Tuesday, Google started issuing warnings to a subset of GMail users, explaining that state-sponsored attackers may be attempting to compromise their accounts or computers. The warnings were foreshadowed by an interview Google did with the New York Times, where it was revealed that the search giant was seeing more attacks recently than previously anticipated.

“We aren't planning to share additional information,” a Google spokesperson told SecurityWeek Wednesday. Google did, however, confirm that the New York Times article was accurate, adding that “tens of thousands of users will see the notification.”

In June, SecurityWeek reported on the announcement from Google that they would start warning users if it was believed that they were a target of a state-sponsored attack.  

“If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware for example, and that you should take immediate steps to secure your account,” Eric Grosse, vice president of security engineering at Google noted in a blog post at the time.  

Fast forward four months, and Mike Wiacek, a manager on Google’s information security team, is telling the New York Times in an interview that they’ve “picked up thousands more instances of cyberattacks than it anticipated.”

“Mr. Wiacek noted that Google had seen an increase in state-sponsored activity coming from the Middle East. He declined to call out particular countries, but he said the activity was coming from “a slew of different countries” in the region,” the NYT’s Bits Blog reported.

The warnings are just that, warnings. As mentioned in June by Google, the fact that someone sees such a notice is not a clear indication of a pending attack, nor is it proof that a successful attack has occurred.

This past summer, Google said that they couldn’t go into the details on how they know that certain activities were state-sponsored without giving away details that would be helpful to those initiating the attacks. Adding that, “our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored.”

Google, like other large corporations online, is hooked into the security community. They get reports from users, vendors, and collect data on their own – and use this to make a risk assessment. The warnings that have been reported recently and the emergence of new attack patterns that were not previously anticipated, aren't something to be concerned about; they are a natural progression of information gathering.

There has been an uptick in the number of attacks that are targeting corporations and people in the U.S., sourced directly from the Middle East, Eastern Europe, North Africa, and Southern Asia. A recent example of this would be DDoS attacks against financial organizations sourced to Iran, Phishing attacks against activists in Syria, or the Internet Explorer zero-day that was recently patched, which was used by attackers in China to spread malware.

Google is all about patterns. So if a known attack, targeting a limited number of people or focused on a region, is spotted by security vendors or on Google’s own network, then it is only right that anyone else who may fall within that same pattern be notified that something could be amiss.

Google’s latest round of warnings to journalists or NGO employees, given the emergence of new attack data and patterns, is the equivalent of a warning to the average user that a email from a bank, with a typo, malformed URL, or broken image, is likely a Phishing attempt. Maybe it is, maybe it isn’t, but the email matches a pattern, so the user is warned.

"Google works hard every day to help our users protect their information. That’s why we developed this warning to supplement our existing account security protections,” the Google spokesperson said. “We hope these prominent messages will encourage affected users to take steps to strengthen the security of their accounts and computers."

When it comes to advice on dealing with potential threats, the link offered by Google in their state-sponsored warnings actually has sound advice, which you can view here. Either way, the warnings are just what they claim to be, a brief heads up from Google that should not evoke fear or panic, but should serve as a reminder for users to remain vigilant. 

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.