Google begins alerting Gmail users to 'state-sponsored' attacks

Google has been notifying users of its services about suspected phishing attempts, and it's also notified webmasters of hacked servers. Now the company has begun alerting Gmail customers who may be victims of a "state-sponsored" cyberattack.
Written by Ed Bott, Senior Contributing Editor

Cyberwarfare is moving out of the shadows and into the light.

Now, Google has decided to alert its users when it detects that their account has been hacked. And it’s willing to say in a big red banner that it believes the attacker is working on behalf of a hostile foreign government.

If Google believes someone is trying to break into your Gmail account, this is what you’ll see:

In a blog post, Google VP of Security Engineering Eric Grosse explains that the warning doesn’t necessarily mean the attack has been successful or that your personal information has been compromised. The most likely trigger is an attempt to lure you to a phishing site or to deliver malware via an email attachment or a link. The suggested response is to change the account password and enable two-step authentication.

Google has been flagging known phishing sites for years in both Chrome and Firefox. Earlier this year the company notified 20,000 webmasters that their sites were doing “weird redirects” and had probably been hacked.

What makes this warning different is that it is typically identifying targeted attacks, which are aimed at particular individuals or organizations, rather than broad-based schemes that pick victims more or less at random.

Google has been engaged in an ongoing battle with China for years, and it’s widely believed that China was behind a successful attack that compromised Google and Adobe in 2010. As I wrote at the time:

The victims in the current wave of attacks were targeted, presumably by criminals or spies who knew exactly what they were doing. In a targeted attack, victims are picked out because they have access to valuable information and can provide access to sensitive parts of their company’s network. It’s possible that the attackers targeted particular victims because they were using IE6. However, the bad guys could also have used malicious PDF files to do their dirty work, as was the case in  a similar wave of targeted attacks in July 2009. They could also have used vulnerabilities in other software.

The Chinese have also been suspected in several recent targeted attacks, including one aimed at Mac OS X users.

Google's warnings do not appear to include any hints as to the identities of the suspected attackers.

One interesting question: would Google notify an Iranian customer if it detected a possible attack from a United States intelligence agency? Earlier this year, Google exercised its privacy policy and notified suspected Russian malware authors that U.S. law enforcement officials had filed subpoenas demanding information about their Gmail accounts.

See also:

Editorial standards