Google's spy case: Not the first, nor the last

Corporate spying is an unfortunate fact of life for U.S. corporations, which have seen a surge in attacks from Chinese perpetrators in the last several years.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Tom Krazit Former Staff writer, CNET News
Tom Krazit writes about the ever-expanding world of Google, as the most prominent company on the Internet defends its search juggernaut while expanding into nearly anything it thinks possible. He has previously written about Apple, the traditional PC industry, and chip companies. E-mail Tom.
Elinor Mills
Tom Krazit
6 min read

The recent cyberattacks on Google and other U.S. companies became public because they prompted Google's dramatic showdown with China, but attempts to steal corporate secrets using the Internet happen under the radar on a daily basis.

"Espionage has been going on for decades. The Internet has made it a lot easier to conduct espionage," said John Bumgarner, chief technology officer at the government-funded think tank U.S. Cyber Consequences Unit. "The targets are mostly defense contractors and high-tech companies that have some type of competitive advantage that someone wants to steal."

When regular business activities fail, some desperate companies turn to espionage to steal information that will help them become more competitive. For instance, source code is stolen from high-tech companies by rivals who want to copy their software programs. Countries might turn to the practice to get information that will help them enter new markets and leap-frog advances in other countries.

Google said intellectual property was stolen in the attack on its network, but didn't specify what. But sources familiar with the investigation into the attacks on Google, Adobe--and reportedly Yahoo, Symantec, Dow Chemical and Northrop Grumman--have said source code was the target in the attacks, and that in many of the cases the thieves were successful.

In Google's case, insiders may have played a role in the attacks, sources familiar with the investigation told CNET.

Of course, espionage can happen in any industry. Car manufacturers are vulnerable to losing design specifications for future vehicles, pharmaceutical makers risk losing information on patent-pending drugs, and the military's weapons systems are highly attractive targets.

"Maybe at the end of the day, it's more cost-effective. Maybe it's easier to steal the next product than invent it," said Fred Rica, a principal with PricewaterhouseCoopers who advises the consulting company's clients against cyberattacks.

Spy versus spy
While corporate espionage has been going on for decades, the sophistication of modern attacks has grown sharply in recent years, Rica said.

"It is clear that our critical infrastructure is under attack from a very sophisticated, well-organized, and well-funded adversary," he said.

Google didn't specifically blame the Chinese government, but said the attacks originated from within China. It is clearly willing to complicate its relationship with the Chinese government, however, taking the extreme step of saying it no longer plans to censor search results in accordance with Chinese laws, and may withdraw from the country altogether if an agreement cannot be reached.

Russia, Israel, and other countries have pried into the secrets of other countries, but China needs to catch up to development in other countries and is by far the biggest industrial espionage player, Bumgarner said. "The Chinese are really focused on improving their economy and in order to do that they need to get new business established to sell services across the planet and one way to do that is to conduct industrial espionage," he said.

With the advent of the Internet, espionage has moved from the era of dumpster diving --although that is still done--to remote intelligence gathering from across the globe.

In the Google case, employees were most likely targeted with e-mails that contained links or attachments that led to malware. Microsoft acknowledged on Thursday that a new hole in Internet Explorer was exploited in some of the attacks. On Friday, McAfee said code to exploit that hole was published on the Internet, putting all users of IE 6, 7 and 8 on all modern Windows platforms at risk until the hole is patched. In the attacks, employees within the corporations may have received e-mails masquerading as communications from someone familiar in what are known as social-engineering attempts.

In addition, Google is investigating whether employees in its China office were involved in what looks like a multi-prong attack on the company's network, according to sources familiar with the investigation. Some employees in China were reportedly put on leave. Google has declined to comment on specifics of the investigation.

Installing spies within a target company is another common espionage trick. Insiders can more easily plant malware and spyware inside a company without having to get past corporate firewalls and they can forward e-mail around without having to hide their identities, experts say.

"There have been several good examples over the years where insiders were caught extracting information, such as foreign nationals working for Cuba and China," including at Motorola, said Bumgarner said. A software engineer who worked for eight years at Motorola was accused of spying after she was arrested in 2007 while waiting to board a one-way flight to China carrying more than 1,000 proprietary documents, according to published reports.

In a down economy, when companies rely more heavily on short-term contractors and temps, it can be even easier to infiltrate the opposition, Rica said.

"I used to work at a [telecom] company where the janitors were foreign nationals from a country that was a competitor and every night those janitors had full access to the facility where they were able to go through anyone's records at night, photograph information, and extract records out of the building," Bumgarner said.

This is part of a time line showing significant Chinese-related cyberevents in recent years that was included in a report Northrop Grumman prepared in November 2009 for the US-China Economic and Security Review Commission. Northrop Grumman/US-China Economic and Security Review Commission

Hardball with hardware
There have also been instances of products shipped from overseas ending up on U.S. shelves and in U.S. corporations that were found to have been compromised, either intentionally or unintentionally. Digital photo frames, hard drives, and USB keys from China have been found with viruses implanted in them in what experts say is a "supply chain problem."

Software and components can be tampered with to include spyware or to cause damage to target systems in what Bumgarner has dubbed "cybertoge." Probably the most famous case of this type of sabotage involved the CIA, which reportedly fed software to Russia that had a hidden code in it that caused an explosion and damaged the trans-Siberian pipeline in 1982, according to experts.

Spies can try to compromise hardware that companies rely on to run their business. For instance, they can switch components out at some point in the supply chain, such as when parts are put together to build a computer at a manufacturer. In this way, spyware or other malware could be sneaked into a corporation."There are various levels of hard discs coming out of China--microchips with writable memory--where people can insert code," said Bumgarner.

A chip industry source familiar with hardware-based attacks described cases where outsiders can introduce "Trojan logic" into chips destined for sensitive installations. Something similar happened to Cisco in 2008, when the Federal Bureau of Investigation determined that more than 3,500 Cisco products sold to the U.S. military and defense contractors contained counterfeit chips that were not proven to contain surveillance gear, but could have.

In that case, a two-year investigation was required to determine that Cisco routers with counterfeit chips had wound up in sensitive places within military networks. China cooperated with that investigation, and individuals within the country were reportedly arrested, but few believe the problem stopped there.

Also within the last two years, a military organization that Bumgarner would not identify discovered that data was getting leaked to servers located in Hong Kong by a Trojan hidden on a shared computer that was also spreading the malware to USB keys inserted into the computer. The malware threat is considered so great with USB drives that the U.S. Defense Department banned their use in 2008.

Picking up the pieces
The costs to victims are hard to calculate. Corporations stand to lose millions of dollars in revenue that will end up going toward sales of competitive products based on the stolen information. Firms also may incur costs when they are forced to modify their designs and sales strategies or develop new products as a result.

"There was an example where a company had a half-billion dollars in economic damage because of competitive intelligence loss," said Bumgarner. "Some companies have gone out of business."

Corporations need to make sure they have three levels of security in place against potential attacks and espionage efforts, Rica said. They must train their employees to be aware of phishing scams and make sure that critical security hires are trustworthy, develop processes for detecting and isolating attacks as soon as they happen, and make sure they have the technology to keep their networks protected, he said.

Federal authorities have shown an increased interest in helping corporations figure out who is behind attacks on their networks and intellectual property, but it's still very easy to get away with espionage, Rica said. "The risk/reward ratio for the perpetrators hasn't changed yet," he said. "People don't rob banks anymore because the likelihood of getting caught and going to jail is high."

So expect cyberattacks bent on espionage to only increase over the next several years, unless a breakthrough is made on prevention, enforcement, or both.

"Only the stupid ones get caught," Rica said. "I can only imagine what the smart ones are doing."