Gmail Users Warned of State-Sponsored Attacks

Google has begun to issue warnings to people whose accounts or computers it believes may have been targeted by unnamed state-sponsored actors. The announcement on the company’s security blog did not specify any particular government, but many eyes turned immediately to China in view of Google’s past claims of Chinese attacks on Gmail and recent changes to expose government censorship of search results. The identities of many early recipients have only reinforced these suspicions.

From Google Online Security:

We are constantly on the lookout for malicious activity on our systems, in particular attempts by third parties to log into users’ accounts unauthorized. When we have specific intelligence—either directly from users or from our own monitoring efforts—we show clear warning signs and put in place extra roadblocks to thwart these bad actors.

Today, we’re taking that a step further for a subset of our users, who we believe may be the target of state-sponsored attacks.

[…] If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware for example, and that you should take immediate steps to secure your account. Here are some things you should do immediately: create a unique password that has a good mix of capital and lowercase letters, as well punctuation marks and numbers; enable 2-step verification as additional security; and update your browser, operating system, plugins, and document editors.

[…] You might ask how we know this activity is state-sponsored. We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored.

At Foreign Policy, Josh Rogin explained Google’s reasoning for the warnings’ vagueness:

Google insiders told The Cable that Google will not be giving out information on which governments it sees as the most egregious violators of web privacy.  For Google, the new initiative is not an effort against governments but a way to help its users help defend and protect themselves.

Users who click through the new warning message will be directed to a page that outlines commonly seen security threats and suggests ways users can immediately raise their level of security on Gmail.

“We’re constantly working to prevent harmful activity on our services, especially attempts to compromise our users’ information,” the insider said. “The primary message is: we believe that you’re a target so you should take immediate steps to protect your account.” 

As with the recent search changes, the new measure has met some scepticism, based in part on the lack of concrete information provided. Jeffrey Carr called it the company’s “worst security idea ever”:

There are so many things wrong with this new Google initiative that I hardly know where to begin.

First, it generates fear on the part of Google’s customers because regardless of the fine print, such a warning will most likely send the recipient into panic mode when there’s no reason to panic.

Second, it makes a claim which upon investigation is so vague that it’s meaningless. You may be the victim of a state or someone working on a state’s behalf? That’s pretty much the case for all targeted attacks.

Third, if you are a target of interest for a foreign intelligence service (FIS), one of the first things you should do is STOP USING GMAIL or any popular cloud-based service that cannot guarantee you where in the world on its many data farms your data resides. If the Mossad, the FSB, the MSS, or the NSA is interested in you, they’ll find a way to legally and covertly intercept your data without sending a spear phishing email to your Gmail account.

Google can, at least, guarantee that user data does not reside on the Chinese mainland. Even before the company withdrew from China in 2010, it kept Gmail servers elsewhere to avoid forced cooperation in political prosecutions.

On Twitter, a steady stream of Chinese or China-linked users reported the unsettling sight of the warning banner. These included McClatchy reporter Tom Lasseter:

The Hindu’s Ananth Krishnan:

Tsinghua University business professor Patrick Chovanec:

Ai Weiwei and associates, via ‘Ai Weiwei: Never Sorry’ director Alison Klayman:

Journalist Chang Ping:

Activists Zeng Jinyan and Hu Jia:

@hu_jia: I also received this warning: “We believe state-sponsored attackers may be attempting to compromise your account or computer.” On top of that, I got what seems to be a phishing email.

Chinese-American physicist George Ge, who was detained and interrogated during a visit to Beijing early this year:

Some laughed the message off:

@gexun: I just asked a few friends and colleagues if any of them had received the same warning from Google as I did: none of them had. I’ll do my best to turn that pink warning red! : )

Others, including Wall Street Journal Chinese editor Li Yuan, felt left out: