The well-known Project Zero security team run by Google exposed intelligence agency hacking operations by a US-allied nation, according to reports, causing counter-terrorist intelligence efforts to be shut down.
Project Zero is dedicated to finding so-called “zero-day” vulnerabilities in widely used software and systems. A vulnerability is “zero day” when it is not known to exist and therefore no patches or defences have been developed for it. Zero-day exploits are normally quite rare, not coming to light very often. When the Project Zero team discovers a zero-day, they notify the vendors of the affected products with the goal of getting it patched and preventing unauthorised intrusions into systems around the world. They also publicise the vulnerability, letting people know it exists and that patches need to be made.
Earlier this month Maddie Stone, head of Project Zero, issued a blog post describing the team’s efforts against “a highly sophisticated actor”, which Project Zero had first noticed in February 2020. The “sophisticated actor” had been making efforts to target devices using Android and Windows software by luring them in through a “watering hole website” that would attempt to infect some devices using a mixture of three zero-day and other “n-day” (already publicly known) vulnerabilities.
Back in 2020, Stone and her team published detailed analysis on the exploits, bringing the operations of the “sophisticated actor” to a halt and making sure that nobody could use the same vulnerabilities against other targets.
Then, last week, Stone published a new blog post. In it she revealed that the same hacking group had returned in October 2020, deploying no less than seven new zero-day attacks in what Project Zero assessed as “next iteration of the campaign discovered in February 2020”.
The Project Zero team concluded:
Project Zero closed out 2020 with lots of long days analyzing lots of 0-day exploit chains and seven 0-day exploits. When combined with their earlier 2020 operation, the actor used at least 11 0-days in less than a year. We are so thankful to all of the vendors and defensive response teams who worked their own long days to analyze our reports and get patches released and applied.
It has now emerged that the sophisticated actor was an intelligence agency of a US-allied nation, engaged in counter-terrorism operations. This was first reported by MIT Technology Review.
The exposure and blocking of the counter-terrorist operation was not an accident by Google’s Project Zero: the security researchers could see which IP addresses the attackers were trying to compromise, and knew what sort of people would be attracted by the “watering hole” bait website. The Google team took the decision to act in the full knowledge of who and what they were shutting down, a decision which reportedly caused some argument within the company.
Project Zero being who they are, they will always act to eliminate zero-day vulnerabilities as they find them: it’s what they do. If that disrupts lengthy, expensive, taxpayer-funded espionage and intelligence campaigns by friendly nations, in the eyes of Maddie Stone and her team that’s just too bad. It’s collateral damage in the battle to secure the world’s IT systems. There are plenty of government-backed hackers whose operations most Westerners would be happy to see shut down, too.
It’s not a new issue, as many in the field would acknowledge, and a balance always has to be struck. The US has a formal process of assessment for zero-days discovered by its own secret agencies, deciding whether they should be publicised for patching or “stockpiled” for hacking.
Sometimes this goes wrong: the WannaCry malware which crippled the British NHS and other organisations in 2017 was famously based on “Eternal Blue”, a Windows exploit previously developed and used secretly by the US National Security Agency (NSA). Many IT administrators in many organisations that year might have wished that Maddie Stone and Project Zero had found Eternal Blue and dealt with it the way they did the seven new zero-days of last October.