MITMing a Google server doesn't _necessarily_ mean that they want the info Google has. Google host a number of libraries such as Analytics and jQuery which are widely used on other sites. The attack could have been to send a modified version of those so that websites (other that Google) transmit information that is normally kept on the client (e.g. sending the key to the NSA in an app that normally does client-side encryption).