Behind the China attacks on Google (FAQ)
Here's what is known and what is not known about the China-related attacks on Google and the other Silicon Valley companies.
Google shocked the security community on Tuesday by disclosing that it and other companies had been hit by attacks that originated in China, with some targeting Gmail users who were human rights activists. As a result, the search giant said it would stop censoring its Web results in China and could end up exiting that market altogether.
Google hasn't released many details on the attacks or named any of the other companies, and sources seem to have only bits and pieces of information. Here's what CNET knows at this time.
What happened?
Google said in a blog post on Tuesday that in mid-December it discovered a "highly sophisticated and targeted attack" on its corporate infrastructure originating from China that led to theft of its intellectual property. It said it discovered as part of its investigation that at least 20 other large companies, in the areas of Internet, finance, technology, media, and chemical, had been similarly targeted.
The attack on Google involved attempts to access the Gmail accounts of Chinese human rights activists, but only two accounts were accessed and the contents of e-mails were not exposed--only account information like the date the account was created, Google said.
Separately, Google discovered that accounts of dozens of Gmail users in the U.S., China, and Europe who are human rights advocates "appear to have been routinely accessed by third parties," not through a security breach at Google, but most likely as a result of phishing scams or malware placed on the users' computers, the company said.
In a separate blog post, Google said it believed that Google Apps and related customer data were not affected by the attack. "The route the attackers used was malicious software used to infect personal computers," the post said.
What companies were targeted?
About 15 minutes after Google released its blog post saying there were at least 20 companies targeted, Adobe Systems issued a blog post saying that it became aware on January 2 of a "computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies...At this time, we have no evidence to indicate that any sensitive information--including customer, financial, employee or any other sensitive data--has been compromised."
The Washington Post, citing unnamed sources, reported that other targets were Yahoo, Symantec, Northrop Grumman, and Dow Chemical. Northrop Grumman declined to comment, and Dow Chemical said it has "no reason to believe that the safety, security and intellectual property of our operations are in jeopardy," the newspaper said.
Yahoo and Symantec refused to confirm or deny the claim. A Yahoo spokeswoman said "Yahoo does not generally disclose that type of information, but we take security very seriously and we take appropriate action in the event of any kind of breach." Symantec issued this statement: "As the world's largest security provider, we are the target of cyber attacks on a regular basis. As we do with all threats, we are thoroughly investigating this one to ensure we are providing appropriate protection to our customers. We have no additional detail."
Meanwhile, Juniper Networks was a target, according to several sources who asked not to be named. On Thursday, Juniper released this statement, which neither confirms nor denies the claims: "Juniper Networks recently became aware, and is currently investigating, a cyber security incident involving a sophisticated and targeted attack against a number of companies. We take these incidents seriously and as with any investigation of this nature, we do not disclose details."
Researchers at VeriSign iDefense said the number of targets was 34, all in Silicon Valley.
Separately, a law firm in Los Angeles involved in litigation against China said on Wednesday that it had been targeted in a China-based attack this week. Gipson Hoffman & Pancione said employees received e-mails Monday and Tuesday masquerading as communications from within the company that included Trojan-laden attachments or Web links. The firm filed a $2.2 billion lawsuit last week on behalf of Solid Oak Software against the Chinese government alleging code from the Cybersitter Web content-filtering program was copied and put it in China-created Green Dam Youth Escort software. It is unclear whether this attack is at all linked to the attacks on Google and the other companies.
Who was behind the attacks?
Google did not specify how it knows the attacks originated in China and did not outright blame the Chinese government. Sources said it is typically difficult to find evidence specifically leading back to Chinese officials in computer attacks. Google must have some solid evidence for it to take such drastic action and risk losing millions of dollars in revenue from the Internet's largest market.
Researchers who have investigated these attacks said they were traced to China several ways and that they share characteristics with previous attacks linked to the Chinese government. The attacks used command-and-control servers based in Taiwan that are commonly used by or on the behalf of the Chinese government, according to iDefense. "The IP addresses used to launch the attacks are known to be associated with previous attacks from groups that are either directly employed agents of the Chinese state or amateur hackers that are proxies for them that have attacked other U.S. companies in the past," said Eli Jellenc, head of international cyberintelligence at iDefense.
How were the companies targeted?
It is possible the attackers used "multiple exploits and multiple, tailor-made Trojans for different targets," said Jellenc. "That is an extraordinary leap in sophistication from other targeted attack campaigns we've seen in the past," he said.
Microsoft said on Thursday that a newly discovered vulnerability in Internet Explorer was used in the attacks. Initially, malicious PDFs targeting a hole in Adobe Reader were suspected to be culprits, but Adobe said on Thursday that it has no evidence that is the case.
Coincidentally, Adobe patched a so-called "zero-day hole" in Reader and Acrobat on Tuesday that was discovered in mid-December and had been exploited in attacks in the wild to deliver Trojan horse programs that install backdoor access on computers.
In such targeted attacks, an attacker typically sends an e-mail to a specific administrator or other worker inside a company, often masquerading as someone the recipient knows. If the recipient opens the attachment, the malware is dropped onto the target computer from where it can be remotely controlled to steal data, access sensitive parts of the network, or even launch an attack on other computers.
In at least one of the attacks, the attack code was set to download the Hydraq Trojan onto victim computers, according to Rick Howard, iDefense intelligence director, who said his lab analyzed a copy of the malware it received from a target company.
Were insiders involved?
Sources told CNET that Google is looking into whether there was insider involvement. Companies that are attacked that do business in China will typically investigate, as a matter of course, whether someone in their Chinese office might have ties to the government there or have been involved in some way, either by planting malware inside the company or passing it on to unwitting targets in the company, sources said.
What was stolen from the companies?
iDefense says source code was targeted at the companies and that most of the attacks appear to have been successful. Google said some intellectual property was stolen but did not elaborate. The company also said limited account information of two Gmail users was accessed.
IDG News Service, citing an unnamed source, reported that attackers "apparently were able to access a system used to help Google comply with search warrants by providing data on Google users," referred to as an "internal intercept" system.
Meanwhile, Texas-based hosting provider Rackspace confirmed early on Wednesday that a server at the company had been compromised and used in the attacks. It was not known what information was stored there.
Does this follow the pattern of other attacks?
Yes. Researchers at iDefense said the characteristics of the attacks on Google and the others were very similar to those of China-based attacks launched last summer, including using the same DNS provider, similar hosts for command-and-control communication and related IP addresses. "Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July," iDefense said.
Was Google particularly vulnerable to these attacks?
As one of the largest technology companies and one of the few housing search, e-mail and other records of Internet activities of billions of Internet users around the world, Google would be an obvious target for attackers. China imposes restrictions on what Web sites it allows citizens to access using filtering technology and secret policies followed by the major search engines operating there, but that tight control only extends to its borders and isn't always effective.
Is there a way consumers can protect themselves from this?
Although these attacks targeted corporations, consumer computers can be targeted in the same way. Computer users should be wary of opening attachments or clicking on links in e-mails from people they don't know or that were unsolicited. People should keep their antivirus and security software up to date, as well as use the latest versions of operating system and application software on their machines, and install patches. There are also programs, like AVG LinkScanner, that can protect people from visiting sites hosting malware.
To avoid phishing scams, people should contact companies directly to verify that a suspicious e-mail is legitimate, not give out personal information requested in e-mail and change passwords frequently.
Updated 6:05 p.m. PST with Juniper statement and 12:46 p.m. PST with attackers believed to have used malware exploiting an unpatched hole in Internet Explorer, not Adobe Reader, as sources initially said.