Google made a considerable revelation last week, announcing that it was hit with a targeted and sophisticated cyber attack originating from China that resulted in stolen intellectual property. The attack was aimed at gaining access to the Gmail accounts of Chinese human rights activists. The unspoken implication is that the Chinese government was involved in the attacks.
As a result, Google plans to stop censoring Google.cn search results, potentially ceasing to operate in China altogether. Since that time, updates to the story — both speculation and fact — have run rampant through the Internet.
And there’s little wonder why the so-called “Aurora” attacks are drawing so much interest; the attacks were focused in part on the Internet’s most popular search engine (as well as more than 30 other large corporations). One of the vectors was through a flaw in the product of the world’s largest software company, and at stake is the most sizable Internet market across the globe.
To add to that, this developing security industry story extends far beyond the tech sphere with its involvement of cyber espionage, intellectual property, diplomacy, human rights, and censorship versus free speech on the Web. The angles and tangents stemming from Google’s now-infamous blog post last week seem almost endless.
As with any story of this magnitude, there is much speculation; the assumptions revolve around the driving force behind the attacks, the motivation behind Google’s decision, the wider implications for businesses operating in China, and the effects on diplomacy between China and the United States — and even on global politics as a whole. But what is starting to become slightly clearer is the computer security perspective.
Google’s initial blog post only revealed that the assault was a “sophisticated and targeted attack” on its corporate infrastructure, and that the Gmail accounts were likely accessed through phishing scams or malware placed on the users’ computers. This week, however, more security facts are evident; let’s take a look.
The China Context
What do we know about malware in China and attacks coming from this part of the world? According to Lavasoft malware analysts, hackers in China focus on creating desktop rather than server malware. And, the criminal underground pays a great deal of money for these client-side exploits, which are used to install malware on millions of desktops.
When it comes to malware distribution, China is known to be a global hotspot. Industry statistics back up this reputation.
According to a whitepaper by Lavasoft Malware Labs’ researchers that explores the Internet networking context of China, the country accounts for 11 percent of all malware in the world. A Google report from early 2008 states that 67 percent of malware distribution servers, along with 64 percent of the websites that link to them, are located in China. A 2008 report by StopBadware.org states that China hosts 52 percent of identified “badware” sites, more than any other country in the world.
In terms of cyber espionage attacks, there is little debate about the scope of attacks produced by China; China doesn’t have a positive track record when it comes to cyber espionage, which analysts say, has been an ongoing problem with attacks on commercial, government, and military targets over the years. According to the U.S.-China Economic and Security Review Commission report, released in October, the Chinese government is expanding its cyber spying operations against the U.S, and Chinese espionage operations are “straining the U.S. capacity to respond.”
Method of Attack
To understand more about the attack that Google and the other 34 companies faced, and to assess the seriousness of it, researchers are looking at the method of attack used. This attack, used to steal intellectual property, is what’s known as an “advanced persistent threat.” Teams behind this kind of attack are highly organized, well funded, and resourced with advanced skills, according to Lavasoft Malware Labs. While this type of threat had mainly been seen within government networks in the past, this latest event now shows its use has spread towards commercial targets.
Advanced persistent threats require highly equipped and experienced individuals who — in contrast to lower-level cyber criminals who spread their nets wide to catch as many unwitting suspects as possible — select a small amount of high yield targets, understand their vulnerabilities, exploit them accordingly, and extract only the most useful information without being detected. In this case, the method of attack seems to be more sophisticated than the development of the actual malware. The more valuable and secure the target is, the more sophisticated the approach would have to be in order to acquire it unnoticed.
Taking this method of attack into consideration, combined with the high profile of the targeted institutions, Google’s implication that Beijing sponsored these attacks, and the United States Secretary of State releasing a statement asking the Chinese government to respond to Google’s allegations, there’s no question that the attack was an extreme assault, with serious intentions.
Attack Vectors — And Security Repercussions
While initial reports speculated that attackers may have exploited flaws in Adobe Acrobat to commit the hack, analysts now say that there’s no evidence of this. While it remains to be seen what other types of malicious attacks were used, one attack vector is known: Microsoft has acknowledged that Internet Explorer was one of the vectors used, with attackers exploiting a critical, previously unknown security flaw in the browser — one that is currently not patched — to download malware onto compromised machines.
With this known, other security repercussions stem beyond the dozens of companies targeted by this attack — and they fall on the end user.
Google initially advised computer users to make sure to have updated anti-virus and anti-spyware software, install operating system patches, update Web browsers, as well as to be cautious of clicking on links and sharing personal information online — and that advice is still vital and sound. Beyond that, though, people are now advised by industry experts to use an alternative Web browser until Microsoft issues a patch to fix the vulnerability in Internet Explorer.
Many questions still remain unanswered in terms of the scope and nature of the attacks — and facts on exactly where it originated. This attack is significant for a variety of reasons, from its high profile targets to the sophistication of the method to the responses by private companies and government officials. This topic originally focused on big business and weighty moral issues like Internet censorship, but now, everyday computer users have been thrown into the mix, with the repercussions of the attack putting them at risk.
This is certainly an attack heard about and felt around the Web, and around the world, and it will be of interest to us all to see what is uncovered as more develops.