But Western operations are recognizable, according to one former senior US intelligence official.
“There are certain hallmarks in Western operations that are not present in other entities … you can see it translate down into the code,” said the former official, who is not authorized to comment on operations and spoke on condition of anonymity. “And this is where I think one of the key ethical dimensions comes in. How one treats intelligence activity or law enforcement activity driven under democratic oversight within a lawfully elected representative government is very different from that of an authoritarian regime.”
“The oversight is baked into Western operations at the technical, tradecraft, and procedure level,” they added.
Google found the hacking group exploiting 11 zero-day vulnerabilities in just nine months, a high number of exploits over a short period. Software that was attacked included the Safari browser on iPhones but also many Google products, including the Chrome browser on Android phones and Windows computers.
But the conclusion within Google was that who was hacking and why is never as important as the security flaws themselves. Earlier this year, Project Zero’s Maddie Stone argued that it is too easy for hackers to find and use powerful zero-day vulnerabilities and that her team faces an uphill battle detecting their use.
Instead of focusing on who was behind and targeted by a specific operation, Google decided to take broader action for everyone. The justification was that even if a Western government was the one exploiting those vulnerabilities today, it will eventually be used by others, and so the right choice is always to fix the flaw today.
“It’s not their job to figure out”
This is far from the first time a Western cybersecurity team has caught hackers from allied countries. Some companies, however, have a quiet policy of not publicly exposing such hacking operations if both the security team and the hackers are considered friendly—for example, if they are members of the “Five Eyes” intelligence alliance, which is made up of the United States, the United Kingdom, Canada, Australia, and New Zealand. Several members of Google’s security teams are veterans of Western intelligence agencies, and some have conducted hacking campaigns for these governments.
In some cases, security companies will clean up so-called “friendly” malware but avoid going public with it.
“They typically don’t attribute US-based operations,” says Sasha Romanosky, a former Pentagon official who published recent research into private-sector cybersecurity investigations. “They told us they specifically step away. It’s not their job to figure out; they politely move aside. That’s not unexpected.”
While the Google situation is in some ways unusual, there have been somewhat similar cases in the past. The Russian cybersecurity firm Kaspersky came under fire in 2018 when it exposed an American-led counterterrorism cyber operation against ISIS and Al Qaeda members in the Middle East. Kaspersky, like Google, did not explicitly attribute the threat but nevertheless exposed it and rendered it useless, American officials said, which caused the operatives to lose access to a valuable surveillance program and even put the lives of soldiers on the ground at risk.
Kaspersky was already under heavy criticism for its relationship with the Russian government at the time, and the company was ultimately banned from US government systems. It has always denied having any special relationship with the Kremlin.
Google has found itself in similar water before, too. In 2019, the company released research on what may have been an American hacking group, although specific attribution was never made. But that research was about a historical operation. Google’s recent announcements, however, put the spotlight on what had been a live cyber-espionage operation.
Who’s being protected?
The alarms raised both inside government and at Google show the company is in a difficult position.
Google security teams have a responsibility to the company’s customers, and it is widely expected that they will do their utmost to protect the products—and therefore users—who are under attack. In this incident, it’s notable that the techniques used affected not just Google products like Chrome and Android, but also iPhones.
While different teams draw their own lines, Project Zero has made its name by tackling critical vulnerabilities all over the internet, not just those found in Google’s products.