China-based Google attacks similar to prior ones

Malware exploiting unpatched holes in software was used in attacks on Google and others in December and previous attack on U.S. companies last summer, expert says.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read

Updated 11:45 a.m. PST January 14 to note that iDefense and Adobe now say that an Adobe vulnerability was not involved in the attacks and 8:18 a.m. PST January 13 with Rackspace comment.

The targeted attacks on Google and more than 30 other U.S. companies late last year bear striking similarities to targeted attacks on 100 U.S. companies last summer, a security researcher familiar with the attacks said Tuesday.

Last July, workers at about 100 U.S. technology companies were targeted with e-mails containing malicious PDF files that exploited a zero-day vulnerability in Adobe Reader. The attacks were detected early and there were no serious consequences, said Eli Jellenc, head of international cyberintelligence at VeriSign iDefense.

In mid-December, Google, Adobe Systems, and a host of other Silicon Valley companies were targeted by attacks originating in China, prompting Google on Tuesday to say that it will stop censoring its Chinese search results and to threaten to pull out of that market.

The code was similar to the previous attack and initially iDefense and other sources had said that the latest attacks were believed to involve malicious PDF files in e-mail attachments, but that has turned out to be unsubstantiated, Rick Howard of iDefense said.

Adobe on Thursday said it does not believe its software was involved. "At this time, we have no evidence to suggest that a vulnerability in Adobe technology was an attack vector in the attack against Adobe or other companies involved. Our investigation is still ongoing," the company said in a statement.

Adobe on Tuesday patched a zero-day vulnerability in Reader and Acrobat that was discovered in mid-December and was being exploited by attacks in the wild to deliver Trojan horse programs that install backdoor access on computers. Jellenc said he could not say for sure whether that was the vulnerability targeted in the attacks on Google and the others.

Reader was found to be one of the buggiest programs in 2009 and has been the target of numerous zero-day exploits in the wild.

Google said the companies targeted in the attack numbered more than 20, but iDefense put the number at 34, including Google. In many of the cases, the attack was successful, Jellenc said. The attacks were targeting source code repositories, according to iDefense.

The code samples obtained by iDefense from the two attacks are different but have very similar characteristics, he said. They contact two similar hosts for command-and-control communication to receive instructions from the attackers once the target machines are infected, according to iDefense. The servers used in both attacks employ the HomeLinux DynamicDNS provider and they both currently point to IP addresses owned by Linode, a U.S.-based company that offers virtual private server hosting, iDefense said. In addition, the IP addresses from both attacks are within the same subnet and they are six IP addresses apart, the company said in a statement.

"Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July," iDefense said.

Jellenc said his company started helping some of the victimized companies with the investigation on Thursday night, providing information on characteristics of attacks launched by Chinese groups.

Examining the attacks
Google noticed the malicious code in its system in mid-December and then followed it back to the drop servers and determined that other companies--including at least two financial companies and one major defense contractor--had been targeted, Jellenc said citing sources familiar with the investigation.

Google also may have been able to see a target list of IP addresses in the code, he said. (Google has declined to provide more details about the attacks beyond what they have publicly stated.)

The attackers stored data acquired in the attacks at Texas-based hosting provider Rackspace and had command-and-control servers based in Taiwan that are commonly used by "actors out of the People's Republic of China," he said.

A Rackspace spokeswoman confirmed early Wednesday that a server at the company had been affected. "In this case, a server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyberattack, fully cooperating with all affected parties," she said. The hosting company runs the servers and operating systems for its customers' Web sites, but customers run their own applications on the servers, she said.

Jellenc said that iDefense "confirmed with some clients and partners of ours in the defense contracting community that the IP addresses used to launch the attacks are known to be associated with previous attacks from groups that are either directly employed agents of the Chinese state or amateur hackers that are proxies for them that have attacked other U.S. companies in the past."

At Google, attackers not only wanted intellectual property, but they tried to access Gmail accounts of Chinese human rights activists, Google said. Only two Gmail accounts appear to have been accessed and only limited account information, and not e-mail contents, was visible, according to Google. In addition, accounts of dozens of Gmail users in the U.S., China, and Europe who advocate human rights were accessed routinely by third parties, probably via phishing or malware located on the user's computer, Google said.

While attacks can be traced back to a country of origin, it's very difficult to prove that it was the work of a government agency, said John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, which does independent research for the U.S. government.

The latest attacks are just the latest in a series of attacks from China on nonmilitary Web sites, according to Alan Paller, director of research at the SANS Institute. In November 2007, U.K. and U.S. companies doing business in China were targeted for proprietary information, he said. And in May 2008, Chinese entities hacked into organizations working for freedom in Tibet, he said.

"The interesting thing about this is somebody big is fighting back," Paller said.

These types of attacks happen every day, said George Kurtz, chief technology officer at McAfee. "What we're seeing is really the tip of the iceberg," he said. "This is going to be bigger than originally anticipated."

Jellenc and other security experts said they did not believe the targeted attacks were at all related to an attack Tuesday on Baidu, China's largest search provider. In that attack, visitors to the Baidu site were re-directed to a site where a group calling itself the "Iranian Cyber Army" claimed responsibility for the attack. The same group had taken credit for a similar attack on Twitter last month.

Dan Kaminsky, director of penetration testing at IOActive whose research has helped improve the security of the Internet infrastructure, predicted the attacks would prompt references to a Digital Pearl Harbor.

"I don't know how accurate or how fair that is but certainly something of note has occurred that has not occurred in previous years," he said.

"I think everybody is surprised by the utterly unambiguous response," Kaminsky added. "This definitely is 'shot heard round the world' territory, at least in our [security] community."