
Ask HN: Google warned me that a state organized hacking group targeted me - Bombthecat
Has anyone of you guys gotten that message?<p>I&#x27;m still not sure why they targeted me nor how? I&#x27;m neither famous nor a journalist or blogger or scientist or something like that.<p>Nonetheless,what can I do to find out how they tried it? Or if they broke in or if my network is comprised?<p>And what can I do to prevent in future? Beside 2fa.
======
huntsman
My team at Google is responsible for identifying the users we give these
warnings to. Here's what I wrote last year to provide a bit more context:
[https://security.googleblog.com/2017/03/reassuring-our-
users...](https://security.googleblog.com/2017/03/reassuring-our-users-about-
government.html)

The most important point is that this indicates signs of targeting not
compromise. Also,like all systems there are false positives especially for
security researchers and the similar types but we hope it is a useful
indicator to reassess your security posture.

~~~
pimlottc
Thanks for the extra context. One thing I didn’t see addressed that I’m
curious about is how does Google distinguish a “government-backed” attack vs
your normal everyday hackers? Is it a function of the specific methods used,
the depth and breadth of resources deployed, source ip ranges, or what?

~~~
huntsman
It's a range of factors. Basically this warning means that what we detected
ties in some way to wider activity that looks government backed. There's some
border cases, but in practice the targeted campaigns of governments look very
different in both technique, volume and targeting to say a widespread
cybercrime phishing campaign. It's not a perfect science, but we believe its
worth calling out separately the activity that does fall into this bucket.

~~~
Bombthecat
But Google would tell me if they were successful,right?

Also: should I tell my coworkers what happened?

~~~
huntsman
If we detected your account was compromised Google would have given you a
different notification at that time and forced you to change your password.

~~~
Bombthecat
Thanks,at least it is something.

I'm really curious what they hoped for though.

I have nothing of interest. I do nothing interesting ( except they get really
excited about people working in IT consulting) which probably would be
millions by now...

~~~
rjbwork
Do you have any controversial opinions? Have you ever worked for any
governments? How about any weapons or other military contractor companies?
Critical IT infrastructure? Could be a number of reason's you're targeted.

~~~
Bombthecat
Worked for government, but that is looong ago. Like six years or so? And the
government organization I worked is not really interesting I think. ( No
weapons, no military, no foreign Relations etc)

Never worked for any military or weapons org or other stuff.

Currently I'm working to create a community portal for a bank. Which will only
be used by developers in b2b. ( Documentation and stuff)

But maybe they hoped for weakest link? That's why I'm thinking about to tell
my co workers about it.

------
fwdpropaganda
This is when you know you've "made it", when state intel is trying to get to
you :-)

Seriously now, even though you're not famous or a jounalist you might have
some type of valuable access in your life? Or maybe it's just a false positive
from google. Or maybe you weren't being especially targetted, and instead your
e-mail ended up in some list of valuable e-mails (rightly or wrongly).

~~~
meganibla
Yeah but they’re not going to let you know if the NSA or the CIA targets you.

So the message can be read more like: a non-allied state actor has targeted
your email and we are notifying you to show how good we are. Please note we
will not reveal when you are targeted by an allied state intelligence. Privacy
is relative, mostly an illusion. Thank you for your cooperation.

~~~
Bombthecat
Jeah,my thought were along that line to.

It's not America. More likely is Russia,China,Japan, Germany or God knows...

------
rabboRubble
Perhaps you aren't of interest, but you are in the address book of somebody of
interest, or in the address book once/twice/thrice removed of somebody of
interest.

------
jacksmith21006
Ironic Google warns you of this while we have Apple moving their iCloud to
GCBD in China where GCBD is managed by the China Gov.

Then they also moved the keys also to China. Then on top removed the VPN apps
from the app store.

Google Gmail was getting hacked by China gov so they warned and ultimately
left China.

Even Amnesty International has opened a campaign on Apple and their disregard
for privacy.

[https://www.amnesty.org/en/latest/news/2018/03/apple-
privacy...](https://www.amnesty.org/en/latest/news/2018/03/apple-privacy-
betrayal-for-chinese-icloud-users/) Campaign targets Apple over privacy
betrayal for Chinese iCloud ...

------
anotheryou
I got it too years ago. It said it might also be my circle of contacts being
attacked. So it might not be you in specific.

~~~
Bombthecat
Mine didn't..

That's bad I guess.

------
buschkowitz
This in itself sounds like a phishing attack. Is the mail authentic?

~~~
Bombthecat
Not a mail.you get that message when logging in to Google.

I first thought that too.and tried another browser ( got that message in
Vivaldi first,than tried IE) Same result.

Here are some old articles about that:

[https://www.recode.net/2017/3/24/15054954/google-
reassures-u...](https://www.recode.net/2017/3/24/15054954/google-reassures-
users-government-backed-hackers)

[http://www.zdnet.com/article/google-heres-why-you-
shouldnt-f...](http://www.zdnet.com/article/google-heres-why-you-shouldnt-
flip-out-over-government-backed-hacker-alerts/)

~~~
buschkowitz
Yea, it does look legit after reading the articles you posted. I am not a
hacker per se, but I guess uncovering what a gov hacker did in your account is
highly difficult. In terms of safety, use a password manager that creates and
stores hard-to-crack passwords for you. I am pretty happy with Dashlane,
1password has a good reputation, too.

~~~
zaphirplane
What ! Don’t use a password manager and turn on 2 factor Authentication

~~~
amingilani
Absolutely use a password manager, and a strong passphrase for the master
password [1]

Why would you say not?

I'm not trying to be rude or anything. Let's have a discussion, and if I can
convince you to do use one, I'd have made one more person safer.

[1] I made this for a dead simple way to make passphrases:
[https://amingilani.github.io/password-
maker/](https://amingilani.github.io/password-maker/)

~~~
herbst
Not OP but open for a chance. Last time I checked the popular password
managers saved the passwords in one way or another. Which personally simply
sounds like a bad idea to begin with.

Even if in theorie they are safe. Even the slight chance that a single failure
could lead to all my passwords getting in the wrong hands at once just is to
scary.

~~~
mercer
How do you propose one memorizes a properly random/secure/long password, let
alone multiple ones, without trusting 'something' with it, whether a password
manager of good repute, a hand-rolled version with potentially bigger security
issues, or a piece of paper somewhere?

~~~
c22
I've memorized multiple long passwords, and routinely memorize new ones. Also
phone numbers, poems, mailing addresses, digits of pi, etc. It's not really
_that_ challenging. Especially if you do it often.

------
supergirl
how do they know it’s a state organized group?

~~~
badrabbit
Advanced Persistent Threat (APT aka Nation state) actors are tracked using
known indicators of compromise. These indicators can include infrastructure
identifiers such as domain names and ip addresses that maybe used in a
phishing url or post-compromise for command-and-control or to download other
malware.

Other indicators can include malware sample hashes or actor-specific detection
rules (Example: YARA,Snort or Netwitness rules).

These indicators are typically not public. Some can be accessed if you pay the
right sum of money and undergo vetting,still,some are kept private within the
relevat security firms or organizations.

As you can imagine,Google has their hands in many pies including security
research and threat intelligence collection(Everyone loves their VirusTotal
intelligence product). They can scan email metadata for any of these
indicators as they see fit.

Generally speaking,some indicators are of such high quality, they can be used
to detect well crafted spear phishing by a nation state actor. But most are
good only to detect untargeted attacks or targeted attacks that include a
large number of targets.

Hope that answered your question.

~~~
supergirl
also why do people like to use the term nation state when it involves hacking.
just to sound fancier? according to wiki nation state has a precise meaning
and it’s not equivalent to the term country

~~~
docdeek
I wrote my doctorate thesis in international relations theory and taught Intro
to IR courses where the difference between country, state, nation, and nation
state were covered in week one. You're right that there's a difference between
country and nation state (and a difference between nation state and both
nation and state, too) but in popular use - including politicians who should
know better - the terms are interchangeable.

