More than E-mail at Stake in Google Gmail Attack

There is a lot of talk–and diplomatic tension–this week related to reports that attacks originating from China have breached Google Gmail accounts, including those of senior US government officials. The focus is on e-mail, and whether or not e-mail accounts were hacked, but a breached Gmail account is a much bigger prize than just the e-mail account it is attached to.

Google claims that the spear phishing attacks that targeted Gmail accounts of White House staff, and successfully exposed accounts of senior US government officials, high-ranking military personnel, and political activists, originated from China. China denies any state-sponsored involvement in the attacks, and the FBI is investigating.

The Gmail e-mail accounts are getting all of the attention. Catalin Cosoi, head of the BitDefender Online Threats Lab, notes in a blog post, “Just as in the previous attack against the Gmail service, we can assume that cyber-criminals went after sensitive documents the users might have inadvertently forwarded from their business inboxes.”

But, it would be more accurate to say that Google accounts are being targeted or compromised–not just Gmail. Depending on the extent the hacked account relies on Google, there is potentially much more at stake than just the documents that might be forwarded as a file attachments from Gmail. There is no differentiation between hacking a Gmail account, and hacking the rest of the diverse array of Google services.

I am not saying that attackers can’t glean valuable information from hacking the Gmail account itself–just that e-mail only scratches the surface of what is breached when an attacker compromises a Google account. With the Gmail username and password in hand, an attacker can log in to the victim’s Google Calendar and find out where they’re going to be, and when, based on the events and appointments it contains.

If the victim actually uses Google Docs, the attacker will have access to all documents, spreadsheets, presentations, forms, and drawings stored online by the victim–not just the ones that might have been included as a file attachment in an e-mail.

Accessing Google Maps could yield valuable information as well. Most users enter a home address as the default location to save time when searching for driving directions. That default location would be exposed to an attacker. If the victim has saved locations in My Maps–like a place of business, or frequently visited locations, those would all be available to the attacker as well.

It is up to Google, and China, and the FBI to get to the bottom of whether the compromised accounts are a state-sponsored act of international espionage, or just the work of run-of-the-mill spear phishing cyber-criminals. But, regardless of who is behind the attack, or what the underlying motives are, there is more than just e-mail at stake.