When the New York Times, Wall Street Journal, and other papers made headlines last month by exposing what they said were China-sponsored hacks into their organizations, I thought, pshaw. I’ve done some reporting on online security. The real news would be if they hadn’t been hacked. Security experts can’t say it enough: There are very few places Chinese digital spies haven’t gotten into.
Still, there’s knowing, and then there’s knowing. It was Saturday, Feb. 9, and I was working at home on the cover story about hacking. Just as I was about to send the draft to my co-reporter, Mike Riley, my laptop crashed. It was annoying. Then it got creepy. I rebooted and signed back into Gmail—and found a pink banner at the top of my in-box: “Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.”
I clicked on the link to “Protect yourself now.” The page informed me that I’d either received e-mails with malicious attachments or links to fake websites that could steal passwords and other information—what’s known as spear phishing. I changed my password to something stronger, as directed by the Google page. I’d already enabled two-step verification, requiring a text to my cell with a second code after I enter my password. That wouldn’t protect me if I did something dumb, like clicking on an unknown link from a stranger’s e-mail—but I was already, I thought, fastidious about where I clicked.
Several questions came to mind. First, what triggered this alert? Was it an e-mail? If so, which? And how did Google determine that it was a state-sponsored hack, as opposed to, say, your everyday criminal hack? And which state? I haven’t done much to annoy major governments recently; certainly not Russia, for example. I did play a part in a Bloomberg News report about the family wealth of China’s newest leader, Xi Jinping, which got Bloomberg’s website blocked in China.
A Google spokesperson declined to comment on the alert or what triggered it. (Who knows, maybe it was someone in the U.S.? China isn’t the only country with hacking chops.) It’s great that the company is telling its customers they’re being targeted by sophisticated spies, but what are we supposed to do then, other than try to be careful? “We can’t go into the details without giving away information that would be helpful to these bad actors,” explains Google’s Web page devoted to the topic.
The company has been sending these sorts of alerts since June. Mark Risher, whose former job at Yahoo! was to protect that company’s users from the evils that lurk on the Internet, says that just as Google is scanning my messages to serve me custom ads, it’s also scanning for attachments and content that might carry spyware. Determining whether a suspicious bit of code is state-sponsored or not isn’t easy, he says. It used to be that only governments could pull off such a technological feat, but now some corporations have the capability. “Private industry is doing this absolutely by necessity,” says Risher, whose new company, Impermium, makes anti-malware technology. “You can no longer sit around and wait for some government agency to pass you a blacklist.”