What do a housing rights advocate, a cell phone security researcher, and an international journalist have in common? They could all be at risk of being targeted by government-backed attacks online.
Government censorship of political dissent is nothing new. While broad techniques such as social media monitoring, restrictions on journalism, and blocking access to websites have long existed, some governments take a more personal approach to censorship and repression online by attempting to hack into personal accounts.
In 2012, Google was the first of the large technology companies to warn users after discovering evidence suggesting a government-backed threat actor was likely targeting their account. To gain a deeper understanding of current online security vulnerabilities and practices of civil society members on the front lines, Jigsaw recently revisited research initially conducted in 2014 in collaboration with Google’s Threat Analysis Group (TAG) into how at-risk users respond to government-backed attack attempts. We found at-risk users want to be secure, but face various hurdles in strengthening their security posture: complexity and added friction of certain security products, limited access to security expertise, limited resources to implement recommended security measures, and difficulty in accessing security solutions recommended for proactive protection.
Current Threat Landscape
Mandiant Intelligence expects threat actors are increasingly taking advantage of weaknesses that exist in systems or software to conduct malicious activity, such as gaining unauthorized access, disruption of operations, or data theft. They categorize these actors in three ways:
- APT: State-sponsored advanced persistent threats supporting national priorities.
- FIN: Financially motivated groups.
- UNC: Uncategorized groups, which have not yet been classified as APT or FIN.
Recent analysis shows not only an increase in the sophistication of hacks, often leveraging flaws in software code for which fixes are not yet available, but also a growing diversity in the applications and platforms targeted, beyond the major providers of communications technology — Google, Apple, and Microsoft.
A Deeper Look Into Government-Backed Attackers (APTs)
Taking a closer look at APT29, a Russia-based espionage group assessed to be sponsored by the Russian Foreign Intelligence Service, reveals how some advanced persistent threat groups leverage innovative tactics, techniques, and procedures against humanitarian groups, think tanks, defense, and diplomatic institutions. APT29 sent phishing emails that were designed to appear as administrative notices related to embassies that were relevant to the targeted organizations. These targeted phishing emails utilized legitimate but co-opted email addresses to send emails containing malicious attachments, which could lead to backdoors used to steal sensitive information, disrupt operations, and compromise critical systems. Many other such cases have been found to target human rights actors specifically. A 2019 coordinated malware campaign against Indian lawyers, activistics, and journalists who spoke out about police abuse was reported by Amnesty International and Citizen Lab.
In a world where state-backed actors can completely take over an individual’s phone without them having to do so much as clicking a link in an email, the anxiety of targeted individuals is understandable, even as such sophisticated hacks remain the exception rather than the norm.
Firsthand Perspectives from At-risk Users
Many government-backed threat groups pose risks to human rights and democracy as they have historically worked to silence political rivals, intimidate journalists, and suppress civil society. Jigsaw sought to understand the perceived and actual threats faced by those working on the frontlines of advocating for free and open democratic societies.
Jigsaw conducted 20 in-depth interviews with a global mix of journalists, political activists, and civil society actors. These interviewees were selected based on varying degrees of preexisting cybersecurity expertise, drawing on Google’s at-risk users research framework of risk factors. At least half of these participants reported personally receiving warnings from Google or other tech platforms that their accounts had been targeted by state-sponsored actors. Jigsaw set out to understand their cybersecurity challenges, how they were responding to ongoing attacks, and to learn how we might better support them.
Cybersecurity Challenge 1: Complexity of Security Guidance
Most at-risk users are not technologists by trade. As such, many lack knowledge around the ever-changing cybersecurity landscape, leading to fear without effective vigilance. Many additionally cited a lack of confidence to navigate cybersecurity best practices, determine what is right for them, and implement it consistently across their personal and professional devices — that they often used interchangeably. Even if trained at work to secure devices, such users may further struggle to confidently gauge what is and isn’t a real threat. As one participant shared:
“We did have a cybersecurity person who helped present preventative and proactive measures but it felt over the top and unnecessary. It felt a little fear mongering.”
Further, the lack of confidence and knowledge can cause people to believe that any attempts to delve into cybersecurity measures may even do more harm than good. A public health researcher we interviewed stated,
“I’m not a technologist by training, so I feel like, can I really do this myself? Could I make something worse accidentally?”
Some research participants reported that receiving an attack warning would raise extreme alarm about whether their sensitive information has been compromised, and may lead them to take unnecessary or misguided actions, such as ceasing use of certain online products and communication altogether, and resorting to other even less secure means like downloading and printing documents. While reverting to offline use for all word processing and document storage needs may be viable for some users, it can just as often result in a chilling effect on the very speech they are trying to protect. Such an approach not only fails to address the symptoms of a breach, but also the root causes that allowed it to take place.
Cybersecurity Challenge 2: Continuous Emotional Burden
Some participants struggled to continue to protect themselves due to the continued burden and stress of such attacks. One respondent, a policy researcher working to defend digital rights, reported that government-backed attacks they experienced left them feeling “awful, miserable.” The effect of persistent targeting from a government-backed threat complicates one’s ability to maintain vigilance and can have an enduring impact on individuals’ psyches.
In addition, many at-risk users operate in environments of constant flux, whether they’re journalists or activists. Participants explained how taking proactive measures to secure their accounts were simply not a top priority, in contrast to other urgent goals like supporting colleagues in conflict zones, or getting out a breaking news story.
Cybersecurity Challenge 3: Managing a Growing Attack Surface
Consistent with Mandiant’s observation that there is a growing diversification of targets, some of the participants indicated multiple vectors through which threat actors may have been focusing efforts. One mobile security researcher reported being “constantly sent lures via WhatsApp, SMS, email, and LinkedIn with social engineering attacks and phishing links,” making it clear they were the subject of targeted attacks.
Not even security experts are immune. Ironically, the very people that act as resources for those targeted by government-backed attacks are often targets themselves. One security specialist based in Europe who consistently “supports people who actively irritate governments by improving their digital security” found themselves needing to take active measures to harden their own security posture as a result.
Cybersecurity Challenge 4: Accessibility and Personalization of Security Tools
Protective technology such as physical security keys may not always be or accessible for at-risk users. The cost of tools can be a barrier of entry for many around the world, and certain practices such as purchasing or keeping software up to date are not always feasible due to technological constraints.
One participant said, “There is one thing in Africa, most of the good tools [like anti-malware, anti ransomware], you have to pay for. Here money is a problem, everything is not flowing. The fact that the good ones are paid makes it difficult to go for them.” Another participant noted that some recommendations, like purchasing physical security keys, weren’t possible for them: “I don’t know if I have $20 for the security key right now.” Additionally, some participants lacked access to enterprise IT support entirely, so they were on their own to navigate recommendations.
Such differences in needs across at-risk users and threat contexts makes it challenging to adopt a “one size fits all” approach to recommendations in security tooling. Some may need additional financial and technical support to get up to speed.
Additional Challenges
Risks of revealing threat context
One of the findings from our research was the desire for more context on threats that may be targeting users. The challenges around sharing such information is related to a concept used frequently in the cyber warfare community — technical gain/loss — the risk that exposing a particular capability may expose an unrelated operation. Revealing the context behind attacker activity could tip off attackers to how they are tracked and can enable a threat actor to evade detection in the future, eroding the security of all. While many at-risk users interviewed understood these tradeoffs abstractly, in practice, they wanted more information to know how best to respond, and where to seek additional help.
Unclear responsibility for safety provisions
Another question that arose is who holds the responsibility to alter their posture, defend, and mitigate against these threats? Does the government, at local or federal levels, have a responsibility to individuals who may be victims of these attacks? Does the private sector have a responsibility to users of its products and services to defend against state-backed cyber operations? Are individuals who conduct business online expected to care for themselves and carry the full onus of responsibility for their online safety?
Many of the measures that private sector organizations take leverage the scale of their infrastructure to mitigate harm before the user is even aware of it. Google takes many steps to ensure that users’ privacy, safety and security are protected by default through activities such as proactive alerting for suspicious activity, detection and blocking of known threats, multiple layers of data encryption, and notification if passwords managed in Google Password Manager have been compromised. Users also have the option to run privacy and security checkups. As part of Google TAG’s mission to counter serious threats to Google and its users, TAG adds newly discovered malicious websites and domains to Google Safe Browsing to protect users from further exploitation, in addition to its quarterly TAG Bulletins that detail coordinated influence operation campaigns terminated on Google platforms.
Keeping At-Risk Users Safer Online
Google remains committed to making protections available specifically for at-risk users to enhance their own security posture.
Google has published a series of steps that individuals targeted by government-backed threat actors can take to harden their Google Account, including adoption of 2-Step Verification, the use of physical security keys like Titan Security Key, and enrollment in the Advanced Protection Program. Next year, Google will begin distributing 100,000 security keys at no cost to global at-risk users.
The suitability of specific security measures depends on the risk profile and threat model of a particular user or organization, and blanket approaches to security often fail to appropriately balance security and utility. Tools like Security Planner, originally developed by Jigsaw and Citizen Lab and now maintained by Consumer Reports, allow users to develop a personalized digital security strategy by answering a series of questions.
Attempts by governments to silence and intimidate political rivals and dissidents remain as pernicious and widespread as when Jigsaw began research on this topic in 2014. The varying cybersecurity challenges and needs of at-risk users means that no single solution can serve as a cure-all to mitigate this threat. Jigsaw and Google, however, remain dedicated to protecting users from the most advanced and persistent threats.
Contributors: John Prieto, Senior Consultant, Mandiant, Emily Saltz, Sr. UX Researcher, Jigsaw, and the Jigsaw R&D team
