Almost everyone interested in cybersecurity has heard of Google Project Zero, the team that challenged Microsoft’s coordinated vulnerability disclosure practices with an uncompromising 90-day deadline to produce a fix or disclosure. But fewer people have heard about TAG, Google’s Threat Analysis Group.
That situation is about to change. Ahead of the 2020 US mid-term presidential elections, Google is ready to reveal more details about TAG activities and how the group is protecting users from malware, phishing attacks and, importantly in the current environment, disinformation campaigns from Russia.
“Going forward, we’ll share more technical details and data about the threats we detect and how we counter them to advance the broader digital security discussion,” said Google director of TAG Shane Huntley.
Huntley today revealed some details about TAG: it’s tracking 270 state-sponsored hacking groups from 50 countries, which likely include Russia’s Fancy Bear hacking group and a Beijing-backed group TAG recently caught using multiple iOS zero-day exploits in watering hole attacks on iPhone users from the Uyghurs ethnic minority in China.
TAG serves a different function than the work performed by bug hunters from Project Zero, which was established in 2014. The two groups serve different but overlapping functions: Project Zero is tasked with finding new security vulnerabilities in software, while TAG tracks the work of hacking groups who may use bugs that Project Zero researchers have discovered.
Project Zero has also published dozens of highly detailed technical reports into bugs they’ve found in iOS, Windows, Android, Chrome, Internet Explorer and other major software products.
By contrast, TAG has remained a largely behind-the-scenes operation, despite it predating Project Zero by about five years. The TAG group monitors for attacks on users of major Google products, such as those it has with over a billion users, like Gmail or YouTube, or products used to store sensitive information, like Google Drive.
TAG is also responsible for sending alerts to Google product users when the group detects specific users have been targeted by state-sponsored attackers. In the past it has also disclosed zero-day vulnerabilities affecting both Chrome and Windows. Those alerts in turn help drive targeted users to the Google Advanced Protection Program, which requires participants use physical two-factor authentication security keys when logging in to Google accounts.
Huntley said Google has sent more than 12,000 warnings to users from 149 countries who were targeted by state-sponsored attackers between July and September 2019.
TAG’s moment for coming out of the shadows comes as Microsoft bolsters its own AccountGuard alerts for political campaigns targeted by foreign adversaries. Microsoft in October revealed that an Iran-backed hacking group, dubbed Phosphorus, had tried 2,700 times to identify consumer email accounts belonging to accounts from Microsoft enterprise customers. Facebook has reportedly also ramped up its response to Russian disinformation activities.
Huntley says 90% of users who received the 12,000 warnings Google transmitted were targeted by phishing attackers after account credentials that would allow an attack to hijack an account.
But, given heightened concerns over a repeat of the US 2016 presidential election meddling from Russia, Google has decided to ramp up protections for users based on TAG research. TAG, for example, also helps YouTube combat efforts to use the video-sharing platform for political disinformation, not just against US political organizations.
"TAG is one part of Google and YouTube’s broader efforts to tackle coordinated influence operations that attempt to game our services. We share relevant threat information on these campaigns with law enforcement and other tech companies," said Huntley.
Google has terminated Google accounts associated with 15 YouTube channels and has detected potential attacks targeting Central African Republic, Sudan, Madagascar, and South Africa.
"Going forward, our goal is to give more updates on the attacks that TAG detects and stops. Our hope is that shining more light on these actors will be helpful to the security community, deter future attacks, and lead to better awareness and protections among high-risk targets.," said Huntley.