Google’s Project Zero Finds a Nation-State Zero-Day Operation

Google’s Project Zero discovered, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been exploited by “Western government operatives actively conducting a counterterrorism operation”:

The exploits, which went back to early 2020 and used never-before-seen techniques, were “watering hole” attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts thanks to their scale, sophistication, and speed.


It’s true that Project Zero does not formally attribute hacking to specific groups. But the Threat Analysis Group, which also worked on the project, does perform attribution. Google omitted many more details than just the name of the government behind the hacks, and through that information, the teams knew internally who the hacker and targets were. It is not clear whether Google gave advance notice to government officials that they would be publicizing and shutting down the method of attack.

Posted on April 8, 2021 at 6:06 AM15 Comments


Clive Robinson April 8, 2021 9:14 AM

@ ALL,

From my perspective Google was right to out the zero-days as quickly as possible.

As for if they were right or not to burn an operation, that is something entirely different to increasing the safety of hundreds of millions of users world wide.

But lets not be coy on this, Western Goverments are every bit as bad if not worse than what the claim of other Governments.

But lets be clear about one thing as I’ve repeatedly poibted out before the US Government quite deliberately lies to the US Public about cyber-security for highly politicaly motivated reasons. So much so that the average US Citizen has not a clue about just what the US Gov does in their name. This “dirty politics” often not known to elected representatives significantly endagers the lives of every person in the world who appears to be American or sympathetic to America.

So take care on how you decide what is right, what is wrong, and most importantly what is neutral but ensures or increases the safety of you, your families, their friends and other loved ones. Despite what certain US Government entities and individuals beleive is justified by the “Might is Right Doctrine” of thugs, despots and tryants, allied with the rather repellant faux excuse of “But we are the good guys”, invariably as many have found out in the last eight years good guys they are not.

wiredog April 8, 2021 9:15 AM

I strongly suspect that google gave a heads-up to whatever “Western” government(s) was (were) (maybe still are…) conducting the operation. I know in the US deliberately and knowingly interfering with a counter-terrorist operation will get you on a LOT of agencies shitlists. Could even be prosecutable. Certainly not something you want brought up the next time something like the Jedi award or protests against it are on the line.

Mr Jansson April 8, 2021 10:30 AM

And who are these “Western Governments”..? No names given? Would make them look too bad? Probably Sweden is one of them then.

SpaceLifeForm April 8, 2021 2:33 PM

@ wiredog

Your Honor, the APT was so good, and so stealthy, that we could not attribute it to any group specifically, so we burned it in case it really was Martians.

yabba dabb dont April 8, 2021 2:53 PM

Google is entirely beholden to the national security apparatus in the USA. Anyone who thinks anything else is crazy. That ship sailed a decade ago.

Billy Joel April 9, 2021 2:26 AM


Google might even have been tipped off and told to act so that the USG didn’t have to tell an Ally to stop an operation and llok unfriendly or the USG used Google to “send a message” and twist an arm so that the Ally understand who’s in charge.

Or the Ally is not that close to USG, or the Ally passed a tax law for GAFAM that did upset Google’s management…

NoSpiesAllowed April 9, 2021 7:49 AM

@Mr Jansson

Would it matter who did it? There is no good hacking. And when it comes to economic spying every other nation is your enemy.

Mr Jansson April 9, 2021 9:44 AM


Well it seems to matter enough for disclose the name when the country is believed to be Russia/China/North Korea/[name-the-enemy]

Ismar April 10, 2021 12:22 AM

From the description of the infinity bug

“ At a certain point, this vulnerability class became extremely popular as it immediately provided an attacker with an enormously powerful and reliable exploitation primitive. Fellow Project Zero member Mark Brand has used it in his full-chain Chrome exploit. The bug class has made an appearance at several CTFs and exploit competitions. As a result, last year the V8 team issued a hardening patch designed to prevent attackers from abusing bounds check elimination. Instead of removing the checks, the compiler started marking them as “aborting”, so in the worst case the attacker can only trigger a SIGTRAP.”

Would not it be better for the Google sec team to work on tools that can automatically scan their code for these and other common types of security holes then to analyse the explanation post fact?

This can be done as part of standard software testing cycle that can be fully automated and updated to check for new classes of security exploits the same way regression testing is done on code functionality in order to maintaining high levels of code confidence.

Prevention is always better than the cure.

TRX April 10, 2021 3:46 PM

Would it matter who did it?

I would say ‘no.’

The original hackers found the exploits. Google found them. Who knows how many other hackers found them? Or how they’ve been using them?

SpaceLifeForm April 10, 2021 6:15 PM

@ TRX, Clive

What if I told you I could bust RSA but I declined to tell you the method?

What if I suspect or know that others have discovered the method?

If you are smart, stop using RSA.

Clive Robinson April 10, 2021 8:25 PM

@ SpaceLifeForm,

What if I told you I could bust RSA but I declined to tell you the method?

You know what the answer would be…

I would sit down woth a couple of dice and throw them 410 times getting five bits a throw. This would give me two very nearly truly random 1024bit starting points to find two primes of the right types. I would then make a RSA PubKey and PrivKey

I would then send you the PubKey and a test message of atleast 580 7bit ASCII characters that would be a plaintext message encrypted by a “simple polyalphabetic hand cipher” with the short random key appended to the end with the ciphertext encrypted under the PubKey.

All I would ask for is the ciphertext or if you felt like flexing the muscles the plaintext in a weeks time.

Why a 2kbit PubKey? well I’ve good reason to believe that 1k fell about a decade ago, and current FPGA’s will give you another 7-8bits and custom silicon about 10-14bits so it’s a reasonable margin.

But that’s not what you are getting at. What you are asking is a rather more interesting question.

Can 2kbits be cracked by the NSA or similar SigInt agency?

Well there is a whole monkey-cage of maybes there but it’s not impossible if their quantum computer endevors have paid dividends, or they have come up with some interesting maths.

There are ways to test the hypothesis, but I’m not going to post them for the obvious reason if I detail it, it will probably be read faster than you could, and shortly there after nolonger work… Also the flip side is if you do test it and find the answer is “Yes” your freedom to enjoy sunlight might get rapidly curtailed.

Is it likely they have some new interesting maths, well yes, but would it help? Who knows… But from a practical point of view, if it is possible to break there is certainly good odds that one or other of the original BRUSA agrement participents would have done it after half a century.

But realistically RSA is now realy at it’s end of shelf life anyway and people should start thinking about what to use next. After all using an 8kbit Key as some now are, just to send the equivalent of an SMS is too darn inefficient.

SpaceLifeForm April 13, 2021 5:29 PM

@ Ismar, Clive

Well, there is now an exploit out there now, due to effort of figuring out the flaw in V8. Via reverse engineering and study of patch.

Not going to link to it, because all of current Chromium based browsers can be attacked for another 2 weeks minimum.

Includes modern Edge on Windows.

The exploit as written pops Calc.

Apparently fails if the browser runs in sandbox mode.

SpaceLifeForm April 13, 2021 6:39 PM

@ Harald B

LOL. Coulda, Shoulda.

It’s out there. You can find if you know where to look.

Of course, all of the TLAs and APTs were already on it long ago.

It is way too easy. WASM.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.