# 3 Government-backed attack alert routing

> v0.0.3 · role: Detect · [policy: #33 · #11](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Google warns accounts it believes are targeted by state-sponsored attackers, through a system-defined alert rule that has been on by default since October 2018. The alert names the targeted user, so the work here is routing and response: raise the severity so it is not buried, send it to the monitored security address plus a named human, and record the response: password reset, enforced 2-Step Verification and Advanced Protection enrolment ([№21](advanced-protection.md)), coordinated through an out-of-band call rather than an email reply.

Documentation: [Government-backed attack alerts](https://knowledge.workspace.google.com/admin/reports/government-backed-attack-alerts)

## Caveats

- Google deliberately discloses no detection detail — absence of an alert is not evidence of absence.
- Never respond to the targeted user by email — assume their mailbox is being read by the attacker.

## Setup steps

1. Filter the rules list to system-defined rules and open 'Government-backed attacks'. — `Rules`

   - **Type** = System-defined

   docs: [View and edit system-defined rules](https://knowledge.workspace.google.com/admin/reports/view-and-edit-system-defined-rules)

2. Confirm the rule is active and raised to the alert center, and set severity so it is not buried. — `Rules › Government-backed attacks`

   - **Status** = Active
   - **Alert center** = On
   - **Severity** = High

3. Route the email notification to the monitored security address and to a named human who can call the affected user out-of-band. Recipients must be users in an internal domain; to reach an external address, use a Google Group. — `Rules › Government-backed attacks › Actions`

   - **Email notifications** = On
   - **Recipients** = security-alerts@<domain> + named responder (internal-domain addresses only)

   docs: [View and edit system-defined rules](https://knowledge.workspace.google.com/admin/reports/view-and-edit-system-defined-rules)

4. Record the response playbook/SOP in a document: the alert names the targeted user, so the response is a password reset and enforced 2-Step Verification, plus Advanced Protection Program enrolment ([№21](advanced-protection.md)), coordinated through an out-of-band call rather than email (since that channel may be compromised). — `Security › Alert center`

   Playbook link attached to the alert workflow

   docs: [View alert details](https://knowledge.workspace.google.com/admin/security/view-alert-details) · [Enable user enrollment in the Advanced Protection Program](https://knowledge.workspace.google.com/admin/security/enable-user-enrollment-in-the-advanced-protection-program)

## Ongoing maintenance

- **[requires a human]** Quarterly: confirm the named responder is still current staff and the playbook link resolves.

## How to verify

1. Open the system-defined rule "Government-backed attacks" and confirm Status = Active, alert center delivery On, and the recipient set is the monitored address plus a named responder.

## Settings screens

- Rules > System-defined rules > Government-backed attacks
  - console: https://admin.google.com/ac/ax
  - screenshot: ../screenshots/admin.google.com/ac/ax.png
- Security > Alert center (where the government-backed-attack alert lands)
  - console: https://admin.google.com/ac/ac
  - screenshot: ../screenshots/admin.google.com/ac/ac.png
