In just three months, Google sent 12k warnings about government-backed attacks

Most of these alerts were sent to users in the US, South Korea, Pakistan, and Vietnam.
Written by Catalin Cimpanu, Contributor

Google sent more than 12,000 security warnings to users in 149 countries about email attacks coming from a government-backed hacking group.

The number only includes alerts sent between July and September 2019 (Q3 2019), Google said in a blog post today authored by Shane Huntley, a member of the company's Threat Analysis Group (TAG), Google's elite hacker-hunting unit.

Huntley said the three-month stat is within a +/-10% margin of the number of warnings sent in the same period of 2018 and 2017, suggesting that there hasn't been a huge escalation or drop in the number of government-backed attacks in the past few years.

Most of these alerts were sent to users in the US, South Korea, Pakistan, and Vietnam, according to a heatmap shared by the company.

Image: Google

The alerts are nothing more than basic emails. Google sends these alerts to Gmail users once the company detects they've been targeted with malicious emails linked to a nation-state hacking operation.

These emails can carry links to download malware, file attachments booby-trapped to infect users, or links to phishing sites where hackers collect a target's credentials for various online accounts.

Google started showing the alerts seven years ago

Google was the first major email provider to show these types of warnings to its userbase, starting in 2012. Nowadays, email providers like Microsoft and Yahoo also show similar notifications.


Gmail notification for government-backed attacks, circa 2012

Image: Google

The company redesigned the alert in 2017 to make it more prominent when accessing a Gmail inbox.

In 2018, Google expanded the feature to G Suite accounts, so private companies that ran Gmail on top of custom domain names could also benefit from the warnings and let users know when they've been targeted.


Current warning format for government-backed attacks


A lesser-known trick about these warnings is that Google doesn't warn users at the moment when they've been targeted, but delays the messages and sends them in batches to hundreds of accounts at a time.

Google said it employes this technique so attackers can't probe and test which of their tactics works better, and fine-tune attacks in real-time by leveraging which test emails trigger an alert.

Google said that if users ever receive one of these alerts they should enroll in the company's Advanced Protection Program (APP).

"We encourage high-risk users-like journalists, human rights activists, and political campaigns-to enroll in our Advanced Protection Program (APP), which utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings," Huntley said.

"APP is designed specifically for the highest-risk accounts and now has more than 15,500 users."

Tech turkeys: Apple and Google dominate the year's menu of failures

Editorial standards