Security researchers regularly reveal software vulnerabilities that hackers can exploit, or even have exploited in the past. In some cases, they’re software issues that have not been used to hack or spy on users. In others, researchers identify malware and hacks that are actively used in the wild. By the time they release information about the attacks, the companies whose code had been attacked have already released updates to patch the problems. And security researchers usually point out when they believe the hacks are too sophisticated for a regular hacker to pull off.
Google runs an infamous security team at Project Zero that analyzes all sorts of operating systems and products for vulnerabilities. Since January, the team produced research that highlighted 11 zero-day exploits that were used to compromise Android, iPhone, and Windows. Back in January, Project Zero scientists pointed out the sophistication of the attacks that utilized previously unknown vulnerabilities in Chrome and Safari code. It turns out that the hackers behind the campaign that Google found were from a nation-state. They were part of a counterterrorism operation initiated by a Western ally, and the operation was ongoing when Project Zero started revealing the software issues.
Whenever hackers backed by US rivals are responsible for newly discovered attacks, some researchers would go out and say the hacks originate from China, North Korea, or Russia. But Google’s Project Zero did not point any fingers while revealing these 11 zero-day bugs. The decision to shut down the cyberattack coming from a Western ally apparently caused some controversy inside Google, MIT Technology Review has found out.
It’s unclear which Western government had employed the sophisticated attack or what sort of counterterrorism operation they were running. The MIT report indicates that Google might have omitted the identity of attackers intentionally. Google might know precisely who the hackers are and what the operation was. It’s also unclear whether Google notified the attackers before revealing the zero-day vulnerabilities publicly.
Some Google employees have apparently argued that counterterrorism operations should be out of bounds when it comes to public disclosure. Others say that Google was within its rights to protect the company’s products from imminent attacks that could harm end-users. Google defended its actions in a statement:
Project Zero is dedicated to finding and patching 0-day vulnerabilities, and posting technical research designed to advance the understanding of novel security vulnerabilities and exploitation techniques across the research community. We believe sharing this research leads to better defensive strategies and increases security for everyone. We don’t perform attribution as part of this research.
The attackers used never-before-seen “watering hole” techniques to inject unknown websites with malware and deliver them to targets running Chrome and Safari on Android, iPhone, and Windows devices. The attackers exploited the 11 zero-days over just nine months, beginning in February 2020. The level of sophistication and speed of the attack is what troubled researchers.
A former senior US intelligence official told MIT that Western operations are recognizable, and that’s because of the local laws that impact what spy agencies can and can’t do:
There are certain hallmarks in Western operations that are not present in other entities … you can see it translate down into the code. And this is where I think one of the key ethical dimensions comes in. How one treats intelligence activity or law enforcement activity driven under democratic oversight within a lawfully elected representative government is very different from that of an authoritarian regime.
The oversight is baked into Western operations at the technical, tradecraft, and procedure level.
It’s unclear to what end the counterterrorism operation might have been crippled, and those are the kind of secrets that will probably never be revealed to the public. The fact that so many vulnerabilities were discovered that quickly is still troublesome, as other skilled hackers might have found and exploited them — which is ultimately why Google chose to reveal the info. The silver lining of these revelations is that Western spies were targeting specific groups of people, which means most Android, iPhone, and Windows users shouldn’t be impacted.
As always, when software vulnerabilities are disclosed, the best course of action is to install all available operating system updates, and to update all apps. The MIT Technology Review’s story is worth a read in full — it’s available at this link.