Google Gmail webpage under magnifying glass showing USB security key giveaway

10,000 “High Risk” Targets of Nation-State Hacking Groups Get USB Security Keys From Google

Google’s Threat Analysis Group has announced it is providing free USB security keys to a collection of politicians, activists and other high-risk individuals likely to be targeted by nation-state hackers.

10,000 individuals are being offered these keys as part of an “advanced protection program” after Google researchers identified a campaign by a Russia-backed threat group that targeted about 14,000 Gmail users with phishing attempts.

High-profile targets receive USB security keys as part of broader awareness campaign

Google discovered the phishing campaign, which it said targeted a “broad variety” of industries, in September. Shane Huntley, director of the Google Threat Analysis Group, said that the attacks show signs of being linked to Advanced Persistent Threat (APT) group 28, better known to the public as “Fancy Bear.” Fancy Bear has long been linked to Russian intelligence services and has a long pattern of attacking foreign governments and non-profit groups, most notably its successful phishing of the Democratic National Committee (DNC) ahead of the 2016 presidential election. That campaign also included attempts on some 4,000 Gmail accounts that had links to the DNC and Hillary Clinton’s presidential campaign.

Google said that it sent out thousands of warnings to Gmail users that were targeted in this campaign, something the company regularly does when it identifies an attack attempt as potentially being perpetrated by a state-backed threat actor. The company also said that it successfully blocked the attack emails. However, this incident seems to have prompted a security awareness campaign of which the free USB security keys are just the headline item.

Huntley took to Twitter to say that those receiving warnings, or even those selected to receive USB security keys, have not necessarily been hacked; to the contrary, a warning usually indicates that Google successfully blocked an attempt. But he did advise government employees and officials, activists, journalists and anyone working in a national security capacity that they can expect a reasonable likelihood of being a target of one of these APT groups.

The meat of Google’s effort is to encourage as many users as possible to activate two-factor authentication. To that end, the company said that it would soon be auto-enrolling some 150 million Gmail users and about two million YouTube users in its authentication system. This system generally asks users to provide a phone number at which to receive a text message for secondary verification, but it is also possible to use a hardware device.

10,000 high risk users will be getting those hardware devices for free from Google. The USB security keys are manufactured by Titan and usually retail for about $40. As an alternative to the usual text message authentication, users are asked to insert the key into a device’s USB drive as the secondary form of identification to gain account access. This is widely considered to be the most secure form of alternate authentication, as phone numbers can be captured remotely via social engineering of phone companies and SIM swapping techniques.

Google’s Advanced Protection Program

In 2017 Google launched its Advanced Protection Program targeted at higher-risk users of its platform that are likely to be tested by overseas hackers due to the nature of their work. This includes the software that Google uses to scan Play Store apps for malware before they go live, a stronger multi-factor authentication process, and certain account feature restrictions designed to trade some functionality for necessary security. Part of the intent of the giveaway of USB security keys is to raise awareness of the program among its target demographic. The program is free and is available to anyone, but is not necessarily recommended for all Google accounts as it can hamper access to some services.

Ilia Kolochenko, Founder/CEO and Chief Architect of ImmuniWeb, believes that this is a model that other major tech companies should adopt. However, he also points out that even hardware-based 2FA does not make one immune to hacking or to breach of stored data: “This laudable effort by Google should inspire other IT giants to share their knowledge and resources with the most vulnerable people who truly need them. Sadly, many of the targeted or would-be victims are chased by professional cyber-mercenaries and sophisticated state-backed hacking groups. The shrewd threat actors will likely have no difficulty accessing the victims’ data while it resides in the device’s memory in an unencrypted format, successfully bypassing MFA and other security controls. Moreover, the data oftentimes resides in several locations, for example, journalists frequently receive valuable reports and hints from whistleblowers who will now likely become the new target of cybercriminals. Furthermore, virtually any data is backed up or otherwise shared across several organizations, such as IT vendors or accountants, who will now fall victims to unscrupulous cyber gangs. Finally, in many countries that have poor protection of civil liberties, the victims may easily end up in jail for refusal to unlock their devices or cooperate with judicial authorities. Nonetheless, the ongoing efforts undertaken by Google are certainly better than non-feasance and will definitely prevent some cyber attacks.”

The 10,000 free USB security keys will be distributed over the remainder of 2021 by several partner organizations, such as the International Foundation for Electoral Systems (IFES) and Defending Digital Campaigns (DCC). These groups will focus on particular organizations and industries that they work with.

Google has unveiled a number of cybersecurity initiatives this week along with this handout of USB security keys. The company announced the formation of the Google Cybersecurity Action Team, which will focus on integrating its various tools with platforms provided by security partners such as Crowdstrike and Palo Alto Networks. The new organization will also advise government and business partners on security measures and attempt to tackle the needs of smaller businesses that are dependent on hard-to-secure legacy hardware. Google said it plans to invest a total of $10 billion over the next five years on cybersecurity efforts of this nature, including the development of zero-trust programs and open source projects aimed at beefing up supply chain security.