This piece refers to an incident involving Google TAG and Project Zero dating back to 2020 and 2021. At the time, these events stirred a small public debate primarily in favor of Google’s actions. However, in private these events were deeply unsettling to myself and a considerable number of colleagues in the security research community.
After spending some time collecting my thoughts on the topic, I finally felt ready to share them publicly.
The views and opinions expressed in this piece are solely my own and do not reflect the views of my employer.
In January 2021, Google’s Project Zero published a series of blog posts coined the In the Wild Series. Written in conjunction with Threat Analysis Group (TAG), this report detailed a set of zero-day vulnerabilities being actively exploited in the wild by a government actor.
The event was a bombshell story and provided a rare, exciting, and deeply technical look into the often secret world of nation-state computer hacking. The report dissected not only the state actor’s exploit code but detailed how the entire operation worked, including deployment configuration and a teardown of implant code and command-and-control communications.
Project Zero and TAG were not passive observers in their investigation. They actively probed the actor’s attack servers, extracted as many exploits as they were able to, and reverse engineered the capabilities. Yet despite performing this intimate level of analysis, one of TAG’s main work products – attribution of the attacker and parties being targeted – was conspicuously absent from the report.
What the Google teams omitted was that they had in fact exposed a nine-month-long counterterrorism operation being conducted by a U.S.-allied Western government, and through their actions, Project Zero and TAG had unilaterally destroyed the capabilities and shut down the operation.
A few months later, Project Zero doubled down and published a series of follow-up articles exposing previously undisclosed exploits and targeting methodology from the same government actor. With the announcement of this second report, a Project Zero member attached the statement: “Each step we take towards making 0-day hard, makes all of us safer.”
This is a dangerously simplistic perspective.
The Google researchers on these teams do the work they do with the intention of harm reduction. However, burning all operations, no matter the actor and no matter the reason, demonstrates a grave misunderstanding of the critical role that cyber plays in reducing harm in the world.
Counterterrorism is one of the clearest examples of this. Cyber is a pivotal component of modern counterterrorism operations, and these campaigns have life-and-death implications that place them in a distinct category from “routine” espionage acts. When governments deploy cyber capabilities for this purpose, they are directly using these tools to thwart potential attacks on civilians, provide vital intelligence to soldiers on the ground, and deny technological resources to terrorists – all conducted while risking fewer U.S. and allies’ lives in the process.
Burning these operations stakes more than just the destruction of a surveillance tool or the loss of an intelligence source. Sometimes an exploit burned is also a human resource burned. Sometimes it’s a human killed. Sometimes it’s a victim not saved. There are myriad second-order effects that risk human lives in unique ways.
Most operations in this space are never made public. However, the slow drip of leaked and declassified stories over the years allows us to paint a picture of how governments use these tools to successfully infiltrate, exploit, and combat terrorist networks.
For example, in June 2016 the Australian Signals Directorate (ASD) utilized cyber operations to tip the scales in a critical battle in Iraq. By hacking ISIS phones and strategically disabling them at precise moments, ASD was able to disrupt ISIS communications in coordination with advancing Iraqi forces in the Tigris River Valley. The tactic provided a crucial edge to the Iraqi troops on the ground, who exploited the confusion as the militants fell back to less secure communication channels. This battlefield success directly set the stage for Iraqi and partner forces to later liberate Mosul from ISIS control.
Additionally, thanks to a series of declassified documents via the Freedom of Information Act (FOIA), we also know how offensive cyber has been used to tackle terrorist recruiting and propaganda efforts. In November 2016, a unit named Joint Task Force Ares (JTF-ARES), a collaboration between U.S. Cyber Command and the National Security Agency, began conducting a wide-scale cyber attack to dismantle ISIS’s online media operation. Coined Operation Glowing Symphony, the task force significantly degraded and destroyed ISIS’s capacity to recruit, disseminate propaganda, proselytize, and conduct financial transactions over the internet. As a result, many of ISIS’s websites, social media accounts, and most popular media outlets, such as their online magazine Dabiq and internal news service Amaq News Agency, ceased to operate.
After their initial attack, JTF-ARES continued their campaign by surreptitiously degrading ISIS computer networks, causing members of the organization to break their operational security (OPSEC) practices out of frustration and expose themselves. These lapses in OPSEC provided additional opportunities that were exploited by intelligence officers and soldiers on the ground.
Notably, as well in 2018 Kaspersky published its Slingshot report exposing a counterterrorism effort by the U.S.’s Joint Special Operations Command (JSOC). The report laid bare an extensive, six-year-long exploitation campaign targeting ISIS and Al Qaeda members using internet café computers to communicate with their leadership. Slingshot was an invaluable resource to monitor these communications and identify terrorists and co-conspirators. The intelligence it gathered was directly fed to JSOC soldiers conducting physical terrorist capture missions on the ground.
Kaspersky’s report burned the JSOC operation, and in response U.S. officials took the rare step to acknowledge the report publicly and conveyed “fear the exposure may cause the U.S. to lose access to a valuable, long-running surveillance program and put soldiers’ lives at risk.”
These risks to life are not abstract. In the late 2000s, an earlier form of this program physically sent JSOC soldiers and recruited Iraqi agents into internet cafés to covertly infect these computers. JSOC relied on a number of local Iraqi agents to perform in-person intelligence missions where they were unable to do so themselves and some of these agents were kidnapped and killed while carrying out their assignments. However, the intelligence they produced was invaluable. Monitoring these computers allowed JSOC to positively identify targets who were using machines inside the café which led to hundreds of successful terrorist capture missions.
To this end, perhaps the most powerful and interesting aspects of cyber operations are the second-order benefits they provide. Computer network exploitation enables this same sort of intelligence gathering without risking human lives in the process. Exploits enable SIGINT (signals intelligence) collection in situations where HUMINT (human intelligence) and in-person operations would otherwise be necessary, and do so in a highly targeted manner without resorting to potentially controversial large-scale collection systems.
Remotely exploiting a computer used by terrorists eliminates the requirement for a human to obtain physical access to it. Hacking a smartphone allows soldiers to track a target’s precise location without physically following them. Listening to a terrorist’s conversations through a microphone removes the need for an agent to infiltrate those meetings. When cyber is removed as an option, more humans must instead deploy into the field to collect intelligence.
It’s crucial to make this point clear: Cyber operations keep people out of harm’s way while enabling them to collect critical intelligence for our national security.
While the decision by Project Zero and TAG to burn a counterterrorism operation is shocking, it’s not an entirely surprising one. Google is a commercial enterprise, and their actions serve Google’s customers.
But Project Zero and TAG have willingly inserted themselves into the national security affairs of countries. The decisions these teams make have real-world consequences on public safety, foreign policy, and warfighting. There are equities at stake beyond product security and each of these equities needs a voice.
It’s important to recognize I’m writing this piece both as a fan of Project Zero’s research and as a beneficiary of TAG’s services. I was one of several security researchers targeted by a 2021 North Korean campaign, and the warning I received was due to TAG’s work monitoring state-sponsored actors.
But we can’t give a pass to these teams based on the otherwise positive work they do. The decision to twice destroy a Western counterterrorism operation was a grave, potentially deadly misstep in Google’s history and should be remembered as such.
Special thanks to Ryan Stortz, Sophia d’Antoine, Dave Aitel, Ian Roos, and many more unnamed individuals for their assistance and support in writing this piece.
Michael Coppola 