Google-China cyber espionage saga - FAQ

How did the attack take place? Did Google strike back at the attackers? Was the Chinese government behind the attacks, and if not who orchestrated them and for what reason? It's time to answer some of the most frequently asked questions.
Written by Dancho Danchev, Contributor

With more details emerging on the inner workings of the targeted malware attack that hit Google and over 30 other companies (ZDNet News Special Coverage - Special Report: Google, China showdown), it's time to summarize all the events that took place during the past week, and answer some of the most frequently asked questions such as - How did the attack take place? Did Google strike back at the attackers? Was the Chinese government behind the attacks, and if not who orchestrated them and for what reason?

Go through the FAQ and their answers.

Q: Which companies were affected in the targeted malware attacks?

According to the initial post confirming the targeted malware attacks, Google stated that "at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted."

On the same day, actual details on who's been targeted started to emerge, prompted by Google's decision t

o go public with the incident at the first place, with Adobe being the first company to confirm the "corporate network security issue", later on denying the initial allegations that the attacks took place through a zero day flaw in Adobe's Reader.

According to public reports, the number of affected companies increased to 34, including Yahoo, Symantec, Northrop Grumman and Dow Chemical. Of those, only Yahoo, Juniper Networks and Symantec provided details that they're currently investigation possible security incidents without actually confirming that their networks may have been successfully compromised in the attacks.

A day after Google's announcement of the incident, the law firm Gipson, Hoffman and Pancione which represents CYBERsitter in a $2.2 billion lawsuit against China for pirating source code and using in Green Dam, a content filtering / censorship program, reported that "it has suffered cyber attacks originating from China".

Q: How did the attack take place?

Through a combination of spear-phishing (targeted attack), and a zero day flaw (CVE-2010-0249) affecting Microsoft's Internet Explorer (see which versions and which platforms are affected).

Microsoft is currently working on emergency patch, given the fact that the exploit code used in the attack is now publicly available, with the governments of Germany and France urging users to stop using Internet Explorer.

Not only did the targeted malware attack managed to bypass the malware/spam filters of the organizations (Phishing experiment sneaks through all anti-spam filters; New study details the dynamics of successful phishing), but also, managed to successfully exploit hosts within the working environment which allowed the attackers to steal intellectual property from Google.

Upon the successful exploitation of these hosts, the attackers relied on the Hydraq trojan in order to facilitate the theft of intellectual property (Trojan.Hydraq Exposed; Trojan.Hydraq - Part II), and continue maintaining access to the affected hosts.

Q: Were the attacks indeed one of the "most sophisticated" ever seen as claimed by certain security vendors?

In order to say that something is "most sophisticated", you'd first have to compare it with a related incident/piece of malware. The Google incident is often cited as "ultra sophisticated" due to the quality of the malware code, and the successful "segmentation of the attack population" or the practice if finding the names and emails of prospective victims to be targeted within a particular enterprise. However, no matter how sophisticated the code, compared to Conficker, this incident is basically a targeted malware attack exploiting a zero day flaw that ultimately drops a coded from scratch piece of malware.

Malware code sophistication shouldn't be a criteria for a state-sponsored operation due to the availability of "malware coding for hire" services allowing potential customers to have their own sophisticated piece of malware, coded by the very same malware authors whose creations fuel the growth of today's crimeware epidemic.

Moreover, the concept of using zero days for targeted attacks is nothing new. Similar targeted attack relying on MS Word zero day against U.S Department of State computers took place in 2007. So are there are key differentiation factors left? It's the question how did they manage to obtain the emails used in the targeted attacks of so many companies. And with no company offering additional insights on the nature of the campaign structure used, for instance were the attackers relying on "event-based social engineering" tactic, we can only speculate on the ease or sophistication when tricking employees into clicking on the links.

There are numerous ways in which the attackers obtained the emails, including internal ones which are not publicly available. One of these practices is called OSINT (open source intelligence) through botnets, a concept that's been around since the first time botnets were perceived as a tool for conducting espionage. With the ability to geolocate the physical location or network location of the entire botnet, a botnet master can easily filter the availability of infected hosts within a particular company's netblock, country, even city, and from there can data mine and engage in hit list building for future targeted malware attacks.

In 2007, Support Intelligence's "30 Days of Bots" experiment successfully located malware -infected hosts within the networks of Fortune 1000 companies, with these compromises making it possible to collect internal emails, map the network structure etc.

Next -->

Q: What kind of information was stolen and accessed without authorization?

According to Google, which is the only company that has publicly acknowledge the security incident, the theft from their network was targeting intellectual property, as well as several Gmail accounts which according to the company belong to human rights activists in China. The rest of the affected companies, deny discussing such security incidents possibly due to the negative publicity, and therefore do not confirm nor deny that intellectual property was stolen.

The claim that these accounts were accessed is perhaps the most notable connection with the Chinese government, considering the fact that the command and control servers were not located in China. And even if they were, it would basically mean that the Chinese Internet which is well known for its widespread abuse, and often maintains the top position for spam and malware sending, could have been abused by a third-country, or international enterprise engaging in espionage while risk forwarding the attacks to a known bad network.

Why would a Chinese government spy hack Google in order to attempt reading the content of several Gmail accounts, compared to taking the much more effective approach, one that they've been relying on so far, namely, individually attempting to infect human rights activists with malware, instead of taking the exotic approach of exposing themselves by compromising Google? In September, 2009, Chinese hackers launched targeted attacks against foreign correspondents, not by hacking their ISPs, but by targeting them individually part of the GhostNet cyber espionage campaigns.

Q: Where were the command and control servers located, and does it really matter at the bottom line?

In short, the physical location of the command and control servers doesn't really matter in the sense that for years, malware infected hosts have been used as stepping stones (island hopping) for increasing a cybercriminal's anonymity (The Cost of Anonymizing a Cybercriminal's Internet Activities; The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two), risk hedging of getting caught and risk forwarding the responsibility for a particular security incident to the country in question. This very same approach was utilized by the attackers, and is a daily routine for a huge percentage of cybercriminals.

They not only relied on "island hopping", but used U.S based command and control servers based in llinois, Texas, and several ones in Taiwan. Managed hosting provider Rackspace quickly responded to some of the claims by confirming that one of their servers was compromised and was indeed participating in the targeted malware attack.

What about the historical reputation of the command and control servers/IPs involved in the campaign. According to VeriSign iDefense - "it has spoken to "two independent, anonymous sources in defense contracting and intelligence consulting." They told it the source IPs and drop server of the attack had been traced back to systems associated with agents of the Chinese state, or their proxies."

The following is a complete list of the domains involved in the targeted malware attack:

360.homeunix.com alt1.homelinux.com amt1.homelinux.com aop1.homelinux.com app1.homelinux.com blogspot.blogsite.org filoups.info ftp2.homeunix.com ftpaccess.cc google.homeunix.com members.linode.com sl1.homelinux.org sl1.homelinux.org tyuqwer.dyndns.org update.ourhobby.com voanews.ath.cx webswan.33iqst.com:4000 yahoo.8866.org ymail.ath.cx yahooo.8866.org sl1.homelinux.org 360.homeunix.com ftp2.homeunix.com update.ourhobby.com connectproxy.3322.org csport.2288.org

Next -->

Q: Did Google strike back at the attackers?

Apparently, engineers at Google gained access to a computer in Taiwan, and by doing so, saw evidence of the ongoing attacks targeting at least 33 other companies.

Q: What other actions is Google currently undertaking in response to the security incident?

Google is not only considering the option of leaving the Chinese Internet market citing human rights violation concerns and the recent cyber espionage attacks, but is also soliciting the support of major U.S technology companies. However, the rest of tech giants appear to be fully anticipating the business potential of China's market.

Quoted on Bloomberg, Chuck Mulloy, a spokesman for Intel, stated that they haven't seen evidence of of a "broad-based attack". Microsoft's Steve Ballmer was quoted as saying that "every large institution is being hacked", with HP's Mark Hurd sharing a similar view with the Financial Times quoted as saying "I'd hate to run off on this one example and say it's a threat to the evolution of the IT industry".

Moreover, Google has not only given its China employees a holiday leave, but appears to be investigating possible insider participation in the attacks, with workers there no longer having access to their computers until the investigation is over.

Q: Did the targeted malware attack receive any political attention?

With Google's bargaining power, that was pretty obvious. On the same day that they announced the targeted malware attack, U.S Secretary of State Hillary Rodham Clinton, issued a "Statement on Google Operations in China"

"We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation. The ability to operate with confidence in cyberspace is critical in a modern society and economy. I will be giving an address next week on the centrality of internet freedom in the 21st century, and we will have further comment on this matter as the facts become clear."

More reactions followed from Anna G. Eshoo's response to the attack on Google:

"I'm deeply disturbed that yet another wave of attacks is coming from China. This raises serious national security concerns. I commend Google for coming forward with information about this attack and for cooperating with law enforcement officials to investigate the origin and nature it. It is important that companies continue to be transparent and open about cyberthreats.

"For far too long, cyberattackers have hidden in the shadows. These kind of attacks are unacceptable and undermine confidence in the global economy. I urge other companies possessing such information to come forward to help the government identify the source of these attacks, so that the criminals can be held accountable for their actions."

And from Loretta Sanchez's commentary:

"This attack was a blatant, illicit attempt to access the private information of Google users who the government perceives to be a threat.  If China turns out to be the perpetrator, it should be strongly condemned for its actions, which violate the internet's core principles of free speech and expression.

"At the same time, I applaud Google's decision to risk its lucrative Chinese contracts for the sake of these principles.  In the past, Google and other internet providers have struggled to provide their Chinese users with a free and open forum in the face of government opposition.  I sincerely hope Google's threat to sever its ties with China completely will compel not only the Chinese government but other regimes - like Vietnam - to finally expand free speech on the Web."

Q: What was the international community's response to the cyber espionage fiasco?

Yahoo!'s China partner Alibaba Group commented on Yahoo!'s alignment of positions with Google's:

"Alibaba Group has communicated to Yahoo! that Yahoo's statement that it is 'aligned' with the position Google took last week was reckless given the lack of facts in evidence," the firm's spokesman John Spelich told AFP in an email. Alibaba doesn't share this view."

Yesterday, India's National Security Advisor M K Narayanan, was quoted as saying that his office and other departments were also targeted with cyber attacks coming from China:

"Mr Narayanan told The Times that his office and other government departments were targeted on December 15 the same date that US companies reported cyber attacks from China. He said the attack was in the form of an e-mail with a PDF attachment containing a “Trojan” virus that allows hacker to access a computer remotely and download or delete files. After detecting the virus, officials were asked not to log on until it was eliminated. “This was not the first instance of an attempt to hack into our computers,” Mr Narayanan said."

Interestingly, in the past week everyone that ever experienced a security incident and believed that China was behind it, is deciding to go public with their claims. In particular human rights activists blaming Chinese authorities for compromising their email accounts.

Historically, there hasn't been a country that missed to blame China for the ongoing cyber attacks hitting their networks. Germany in 2007, the U.K in 2007, France in 2007, and New Zealand again in 2007 all went public with allegations that China was responsible the cyber attacks hitting their networks.

Q: Did China issue an official response to the allegations?

China's only official response so far as been that "China's internet is open and the Chinese government encourages development of the internet. Chinese law proscribes any form of hacking activity."

Next -->

Q: Was the Chinese government indeed behind the cyber espionage campaign?

There are a few key factors to consider before answering this question, and jumping to conclusions.

The first one is the difference between a government-sponsored and government-tolerated cyber attack. Government-sponsored cyber attacks are directly state funded hacking/cyber warfare activities aiming to achieve a specific government agenda, with the authorities themselves having control over the organizational and execution process. This type of cyber attacks are harder to prove due to the evasive practices the government in question could apply in order to avoid the potential scandal if detected.

But the very notion that Chinese authorities sponsored, endorsed, set the agenda for, and participated in the organization and execution process in regard to the Google incident is something I doubt they would get their hands dirty with at the first place. But how come? Even though that they can hedge the risk of getting caught, by forwarding the responsibility to third-party individuals unaware who they're really working for, if a clear long-term agenda is given to their local hacktivist groups, they would successfully migrate from the incriminating government-sponsored attack to a government-tolerated one.

China, just like Russia has among the most vibrant hacktivist movements with skilled and self-mobilizing individuals that have proven no need from government interference in important hackvist incidents such as Georgia's DDoS attacks, or the crowdsourcing attack on CNN courtesy of Chinese hacktivists (The DDoS Attack Against CNN.com; Chinese Hacktivists Waging People's Information Warfare Against CNN). It's a people's information warfare using national dignity and overall collectivism within a society as the key incentive.

By allowing/tolerating their local hackvist/hacking/cybercrime communities to flourish, the countries end up with an endless pool of human resources, from whose activities they can directly benefit, most of the time without the individuals themselves even aware of the practice, thinking it's their game. This strategic migration from a government-sponsored to a government-tolerated attack is what makes this question hard to answer with a definite yes, or a definite no, since it's all a matter of perspective.

Every country's private sector would love to have a government conducting corporate espionage for them and then passing on the obtained intellectual property. In this particular case, no country's cyber spies would expose themselves in a such way that the supposedly Chinese government sponsored Google hackers did. It's simple logic. Even more interestingly, so far I haven't come across a single opinion even considering for a second the possibility for a private sector espionage operation.

Both, a country's government and its private sector have the resources and the motivation to engage in such activities. And since the recent espionage campaigns were aiming to steal intellectual property from the private sector, it may well be another well funded private sector company engaging in unethical competitive advantage gaining practices by outsourcing.

Even thought it's fairly logical to assume that China's government spies are truly interested in stealing intellectual property from military contractors, case in point is this on-going targeted attack against US Military contractors, by maintaining a government-tolerated cyber attacks policy, the China may in fact be collecting the fruits from the hacking activities on behalf of its vibrant and technically sophisticated hacktivist community.

Q: Has China ever complained of similar targeted malware attacks against its networks?

But of course. In 2008 China declined to comment the source of similar cyber espionage attacks hitting their "core networks" but pointed out that 80% of the hosts involved were based in the United States.

Does this automatically mean that U.S based cyber warriors are behind the cyber espionage attempt? Not necessarily, since compromised hosts has been used as stepping stones (island hopping) can easily make it look like the compromised country's hosts actually belong to the physical attacker himself.

Cyber espionage activities courtesy of different nations continue making the headlines every on a regular basis. For instance, in 2008 South Korean Army officers were hit with North Korean spyware, and German spooks admitted using a "trojan horse" to spy on Afghan politician and SPIEGEL journalist again in 2008.

One thing remains certain, even if Google leaves the Chinese Internet market, it would still remain vulnerable to the very same threats that each and every enterprise connected to the Internet is facing these days. Moreover, the Google-China cyber espionage saga is not your typical black and white situation. And just like espionage in general, it's always a colorful case.

What do you think? Was the cyber espionage incident sponsored by the Chinese government or was it a private sector operation looking to steal intellectual property from major U.S tech companies? Does it really matter who was behind the attack, considering the fact that the networks of major companies got indeed compromised, and data stolen?

Do you believe that approaching China on this incident would have any significant impact rather than "we're investigation" response, or what other long-term actions should be taken in general? Perhaps emphasize on the actual incident and its impact on business continuity, instead on trying to figure out who did taking into consideration the fact that they won't stop doing it?


Editorial standards