The Silicon Valley giant did not attribute the attack and left out many crucial details from its reports, which appear to have been issued to burnish its security credentials given the level of sophistication involved in the attacks.
A report in the Technology Review site said the decision to publicise this campaign had caused internal divisions at Google and also raised questions among American intelligence services.
Security firms studiously avoid mention of nation-state cyber operations launched by US agencies after one company, Kaspersky, paid a heavy price for doing so.
Our intelligence agencies and others have plenty of resourcing. Private sector cybersecurity teams/companies should default to taking down malware, identifying malicious infrastructure, fixing vulnerabilities, etc. https://t.co/0cuIGbQj5g— Robert M. Lee (@RobertMLee) March 27, 2021
But Kaspersky then made what could be interpreted as a parting shot, publicising an operation known as Slingshot during its annual Security Analysts Summit in Cancun in 2018.
It came to light later that the operation was a US military program run by the Joint Special Operations Command, a part of the Special Operations Command. Slingshot was apparently used by US military and intelligence personnel to collect information about terrorists.
Kudos to the Google team on their efforts. I can understand others have different perspectives but this is fairly straightforward to me. You don’t know the context of government operations and shouldn’t be a player in that game. Make it harder on the offense and worry less.— Robert M. Lee (@RobertMLee) March 27, 2021
Google did not provide key details about the exploits, leading veteran security writer Ryan Naraine to gripe: "Google did not release IOCs (indicators of compromise) to help malware hunters look for signs of this actor in their networks. No hashes. No information on the watering hole domains. No technical details on the exploit servers. No YARA rules. No IDS signatures. No victim profile or geographic distribution. Nothing, actually.
"Google essentially flexed about its visibility into this APT's arsenal and infrastructure and told the rest of us that there are super-adversaries roaming around our devices, and there's nothing we can do about it.
"We need to be demanding better. At a minimum, these higher-impact threat-intel reports should include IOCs and YARA rules. Otherwise, we should treat them simply as the marketing reports they are."
Naraine now has his answer as to why Google kept back all these details.