The decision to block an “expert” level cyberattack has caused controversy inside Google after it emerged that the hackers in question were working for a US ally. Google’s security teams publicly exposed a nine-month hacking operation. What wasn’t disclosed: The move shut down an active counter-terrorist operation being conducted by a Western government. The decision has raised alarms inside Google and elsewhere. Google runs some of the most venerated cybersecurity operations on the planet: its Project Zero team, for example, finds powerful undiscovered security vulnerabilities, while its Threat Analysis Group directly counters hacking backed by governments, including North Korea, China, and Russia. And those two teams caught an unexpectedly big fish recently: an “expert” hacking group exploiting 11 powerful vulnerabilities to compromise devices running iOS, Android, and Windows. But MIT Technology Review has learned that the hackers in question were actually Western government operatives actively conducting a counterterrorism operation. The company’s decision to stop and publicize the attack caused internal division at Google and raised questions inside the intelligence communities of the United States and its allies. (…) In some cases, security companies will clean up so-called “friendly” malware but avoid going public with it. “They typically don’t attribute US-based operations,” says Sasha Romanosky, a former Pentagon official who published recent research into private-sector cybersecurity investigations. “They told us they specifically step away. It’s not their job to figure out; they politely move aside. That’s not unexpected.” While the Google situation is in some ways unusual, there have been somewhat similar cases in the past. The Russian cybersecurity firm Kaspersky came under fire in 2018 when it exposed an American-led counterterrorism cyber operation against ISIS and Al Qaeda members in the Middle East. Kaspersky, like Google, did not explicitly attribute the threat but nevertheless exposed it and rendered it useless, American officials said, which caused the operatives to lose access to a valuable surveillance program and even put the lives of soldiers on the ground at risk. Kaspersky was already under heavy criticism for its relationship with the Russian government at the time, and the company was ultimately banned from US government systems. It has always denied having any special relationship with the Kremlin. Google has found itself in similar water before, too. In 2019, the company released research on what may have been an American hacking group, although specific attribution was never made. But that research was about a historical operation. Google’s recent announcements, however, put the spotlight on what had been a live cyber-espionage operation.
via tcchnologyreview: Google’s top security teams unilaterally shut down a counterterrorism operation