Chinese authorities behind Google attack, researcher claims

Forensics expert who examined malware believes it's too good to have come from independent hackers

The malware used to hack Google is so sophisticated that researchers brought in by the company to investigate believe the attack code was designed and launched with support from Chinese authorities.

According to Carlos Carrillo, a principal consultant for Mandiant, a Washington D.C.-based security incident response and forensics firm, the attack against Google last month was "definitely one of the most sophisticated attacks I've seen in the last few years."

Mandiant was called in by Google to look into the attack, and Carrillo was the project manager for the Google investigation. During an interview Friday, he frequently chose his words carefully, saying that there was much he couldn't discuss because the work was ongoing.

"The malware was unique," Carrillo said. "It had unique characteristics ... it was ... let's just say it was unique."

Other researchers who have examined the malware have also come away impressed. Thursday, Dmitri Alperovitch, vice president of threat research at McAfee, called the attack code "very sophisticated" and added, "We've never seen anything this good in the commercial space. In [attacks on] government, yes, but not commercial."

But what does that kind of expertise mean?

Carrillo is convinced that, given the sophistication of the code, it was produced with support from Chinese authorities. "This wasn't on the level of Metasploit," Carrillo said, referring to the open-source penetration testing framework whose exploits are often used by hackers to craft malware. "This wasn't something that a 16-year-old came up in his spare time."

When asked if the code quality pointed toward Chinese state support, Carrillo answered, "I would say so." He declined to elaborate.

Mandiant was called in to investigate the attack on Google "early in the process," said Carrillo, who refused to get more specific. McAfee's Alperovitch said that time stamps in the malware's command-and-control log files indicated the attacks began in mid-December and ended Jan. 4, when the hackers' servers were shut down.

In the announcement Tuesday that its corporate network had been hacked and intellectual property stolen, Google said the attacks had been discovered in mid-December. Google also said the attacker tried to access the Gmail accounts of Chinese human rights activists, a move that -- along with increasing censorship of the Web by China's government -- has prompted it to reevaluate its business in the country.

Carrillo also provided additional information to the still-sketchy framework of the attack, saying that the exploit of a vulnerability in Microsoft's Internet Explorer was not the only vector used by the hackers. That seemed to back up Microsoft's assertion that the IE bug wasn't the sole cause of the break-ins.

And while the number of companies hit by the Chinese attacks have been reported as low as 20 to as high as 34, Carrillo said Mandiant's work indicated an even larger number may have been hit.

"Most of the time, companies find out [about such attacks] when they're contacted by third parties, like other companies or law enforcement," Carrillo said. "Until then, they're not aware they've been attacked. They don't have a clue."

But that's not a surprise in attacks like the ones that hit Google. "These [attackers] are very good at what they do," Carrillo said. "Without getting into details, their techniques allow them to masquerade as legitimate users, so traditional means of, for example, intrusion detection or antivirus security are for the most part ineffective."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to gkeizer@ix.netcom.com or subscribe to Gregg's RSS feed .

Join the discussion
Be the first to comment on this article. Our Commenting Policies