Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Google warned me that a state organized hacking group targeted me
50 points by Bombthecat on March 31, 2018 | hide | past | favorite | 42 comments
Has anyone of you guys gotten that message?

I'm still not sure why they targeted me nor how? I'm neither famous nor a journalist or blogger or scientist or something like that.

Nonetheless,what can I do to find out how they tried it? Or if they broke in or if my network is comprised?

And what can I do to prevent in future? Beside 2fa.




My team at Google is responsible for identifying the users we give these warnings to. Here's what I wrote last year to provide a bit more context: https://security.googleblog.com/2017/03/reassuring-our-users...

The most important point is that this indicates signs of targeting not compromise. Also,like all systems there are false positives especially for security researchers and the similar types but we hope it is a useful indicator to reassess your security posture.


Thanks for the extra context. One thing I didn’t see addressed that I’m curious about is how does Google distinguish a “government-backed” attack vs your normal everyday hackers? Is it a function of the specific methods used, the depth and breadth of resources deployed, source ip ranges, or what?


It's a range of factors. Basically this warning means that what we detected ties in some way to wider activity that looks government backed. There's some border cases, but in practice the targeted campaigns of governments look very different in both technique, volume and targeting to say a widespread cybercrime phishing campaign. It's not a perfect science, but we believe its worth calling out separately the activity that does fall into this bucket.


But Google would tell me if they were successful,right?

Also: should I tell my coworkers what happened?


If we detected your account was compromised Google would have given you a different notification at that time and forced you to change your password.


Thanks,at least it is something.

I'm really curious what they hoped for though.

I have nothing of interest. I do nothing interesting ( except they get really excited about people working in IT consulting) which probably would be millions by now...


Do you have any controversial opinions? Have you ever worked for any governments? How about any weapons or other military contractor companies? Critical IT infrastructure? Could be a number of reason's you're targeted.


Worked for government, but that is looong ago. Like six years or so? And the government organization I worked is not really interesting I think. ( No weapons, no military, no foreign Relations etc)

Never worked for any military or weapons org or other stuff.

Currently I'm working to create a community portal for a bank. Which will only be used by developers in b2b. ( Documentation and stuff)

But maybe they hoped for weakest link? That's why I'm thinking about to tell my co workers about it.


This is when you know you've "made it", when state intel is trying to get to you :-)

Seriously now, even though you're not famous or a jounalist you might have some type of valuable access in your life? Or maybe it's just a false positive from google. Or maybe you weren't being especially targetted, and instead your e-mail ended up in some list of valuable e-mails (rightly or wrongly).


Yeah but they’re not going to let you know if the NSA or the CIA targets you.

So the message can be read more like: a non-allied state actor has targeted your email and we are notifying you to show how good we are. Please note we will not reveal when you are targeted by an allied state intelligence. Privacy is relative, mostly an illusion. Thank you for your cooperation.


Jeah,my thought were along that line to.

It's not America. More likely is Russia,China,Japan, Germany or God knows...


Another user here noted that Google also tells you if you were just in a circle.

But they didn't tell me...


Perhaps you aren't of interest, but you are in the address book of somebody of interest, or in the address book once/twice/thrice removed of somebody of interest.


Ironic Google warns you of this while we have Apple moving their iCloud to GCBD in China where GCBD is managed by the China Gov.

Then they also moved the keys also to China. Then on top removed the VPN apps from the app store.

Google Gmail was getting hacked by China gov so they warned and ultimately left China.

Even Amnesty International has opened a campaign on Apple and their disregard for privacy.

https://www.amnesty.org/en/latest/news/2018/03/apple-privacy... Campaign targets Apple over privacy betrayal for Chinese iCloud ...


I got it too years ago. It said it might also be my circle of contacts being attacked. So it might not be you in specific.


Mine didn't..

That's bad I guess.


This in itself sounds like a phishing attack. Is the mail authentic?


Not a mail.you get that message when logging in to Google.

I first thought that too.and tried another browser ( got that message in Vivaldi first,than tried IE) Same result.

Here are some old articles about that:

https://www.recode.net/2017/3/24/15054954/google-reassures-u...

http://www.zdnet.com/article/google-heres-why-you-shouldnt-f...


Yea, it does look legit after reading the articles you posted. I am not a hacker per se, but I guess uncovering what a gov hacker did in your account is highly difficult. In terms of safety, use a password manager that creates and stores hard-to-crack passwords for you. I am pretty happy with Dashlane, 1password has a good reputation, too.


What ! Don’t use a password manager and turn on 2 factor Authentication


Absolutely use a password manager, and a strong passphrase for the master password [1]

Why would you say not?

I'm not trying to be rude or anything. Let's have a discussion, and if I can convince you to do use one, I'd have made one more person safer.

[1] I made this for a dead simple way to make passphrases: https://amingilani.github.io/password-maker/


Not OP but open for a chance. Last time I checked the popular password managers saved the passwords in one way or another. Which personally simply sounds like a bad idea to begin with.

Even if in theorie they are safe. Even the slight chance that a single failure could lead to all my passwords getting in the wrong hands at once just is to scary.


How do you propose one memorizes a properly random/secure/long password, let alone multiple ones, without trusting 'something' with it, whether a password manager of good repute, a hand-rolled version with potentially bigger security issues, or a piece of paper somewhere?


I've memorized multiple long passwords, and routinely memorize new ones. Also phone numbers, poems, mailing addresses, digits of pi, etc. It's not really that challenging. Especially if you do it often.


Your password doesn’t need be a long random string, just a long unguessable one and safe from dictionary attacks Ilikeapples! Is fine But You know I’m not a security researcher


They do, but that's not such a bad idea. For an exhaustive read, I wrote this[1] a while back, but I'll try to make the point here too:

1. Are all your passwords unique?

2. If I discovered some of your passwords, will the rest of your passwords stay secure?

3. Were all your passwords created using at least 32 bits of entropy?

4. Are your passwords stored only in encrypted form?

5. Do you perfectly remember every single password you’ve used when signing up?

6. Do you turn up positive for a password leak at this website?

If you answer "no" to any of these questions, you'll benefit from a password manager.

About storing passwords, I use LastPass and they use client-side encryption[1], which means even they don't have the decryption key to read my passwords. So, you'll be fine as long as you have a secure passphrase and 2FA :)

https://lastpass.com/support.php?cmd=showfaq&id=6926

[1]: Please skip to "Strategy No. 1: Proper Password Management" @ https://www.toptal.com/remote/best-security-practices-for-re...


So, you'll be fine as long as you have a secure passphrase and 2FA :)

And nobody hacks into your machine...


Ofcourse, but at that point it doesn't matter what method of password management you're using. It's too late.


Password managers use client side encryption. They are not stored unencrypted on the manager's servers.


I must admit, I use Apple’s Keychain, I wouldn’t trust a third party app.


Do you have citations for this? AFAIK state of the art is to put the password through some password stretching algorithm (like PKBDF) and to encrypt the database with that. No need to store the password. I think NaCL offers out-of-the-box support for this.

EDITED to add: I am using Password Safe which is recommended by Bruce Schneier. What you describe would be an absolute noob mistake. He would be pretty embarrassed if you were right.


I think herbst is saying that password managers store the passwords being managed, not the master password used to encrypt the DB.


Not parent but I'm guessing the rationale is that a password manager could undermine the concept of 2fa.

Some believe that the "something you know" should be stored inside your head. I personally use a password manager, but can understand the viewpoint.

Password managers lie somewhere between 2 different factors, "have" (the password DB) and "know" (only your master password). For those who use a laptop as their 2nd factor (yubikey plugged into a USB port, a token on the system itself) and get their laptop stolen, a compromise of the password safe could result in both factors being breached.


Because The security of your passwords depend on the security of the password manager and the security of their infrastructure ... the big password managers have had issues, in code, design and even last pass was attached by hackers.

trusting your bank / email and other important password is an unneeded risk.

Your turn why should I rely on someone and their servers to save my passwords why a good password and 2fa will protect my account?


interesting. does anyone know how ProtonMail handles such situations and whether they alert their users?


how do they know it’s a state organized group?


Advanced Persistent Threat (APT aka Nation state) actors are tracked using known indicators of compromise. These indicators can include infrastructure identifiers such as domain names and ip addresses that maybe used in a phishing url or post-compromise for command-and-control or to download other malware.

Other indicators can include malware sample hashes or actor-specific detection rules (Example: YARA,Snort or Netwitness rules).

These indicators are typically not public. Some can be accessed if you pay the right sum of money and undergo vetting,still,some are kept private within the relevat security firms or organizations.

As you can imagine,Google has their hands in many pies including security research and threat intelligence collection(Everyone loves their VirusTotal intelligence product). They can scan email metadata for any of these indicators as they see fit.

Generally speaking,some indicators are of such high quality, they can be used to detect well crafted spear phishing by a nation state actor. But most are good only to detect untargeted attacks or targeted attacks that include a large number of targets.

Hope that answered your question.


also why do people like to use the term nation state when it involves hacking. just to sound fancier? according to wiki nation state has a precise meaning and it’s not equivalent to the term country


I wrote my doctorate thesis in international relations theory and taught Intro to IR courses where the difference between country, state, nation, and nation state were covered in week one. You're right that there's a difference between country and nation state (and a difference between nation state and both nation and state, too) but in popular use - including politicians who should know better - the terms are interchangeable.


I think it's probably due to the fact that when the phrasing became popular, China was almost exclusively the focus. So itay not be accurate now, but at this point it's a habit.


it doesn’t. i was asking how do they know in this case


The indicators I mentioned are associated with a nation state actor because the attacks in which they were identified were attributed to a nation state. In other words,the selective targeting and sophistication match the interests of a nation state.

Geo-political intelligence analysts and sometimes field officers (aka spies) also play a role. For example,if a specific journalist was attacked while working on an article critical of a specific country and at least one indicator was traced to an a real human associated with that country's spy agency the a confident attribution can be made.

The term "nation state" does sound a bit fancy but it is different from "country" in that many nation states do not act on behalf of their people or to protect the interests of their conuntry. If you use "country" that would include the people of the country while "nation state" simply means the organization running the country. Plus you have situations like taiwan,hong kong and chechnya where those nations are effectively their own nation state but they are under the control of a different country.

Here is a good reference attribution of APT3 (Chinese Ministry of State Security (MSS)): https://threatpost.com/apt3-linked-to-chinese-ministry-of-st...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: