Chinese authorities behind Google attack, researcher claims
Forensics expert who examined malware believes it's too good to have come from independent hackers
Computerworld - The malware used to hack Google is so sophisticated that researchers brought in by the company to investigate believe the attack code was designed and launched with support from Chinese authorities.
According to Carlos Carrillo, a principal consultant for Mandiant, a Washington D.C.-based security incident response and forensics firm, the attack against Google last month was "definitely one of the most sophisticated attacks I've seen in the last few years."
Mandiant was called in by Google to look into the attack, and Carrillo was the project manager for the Google investigation. During an interview Friday, he frequently chose his words carefully, saying that there was much he couldn't discuss because the work was ongoing.
"The malware was unique," Carrillo said. "It had unique characteristics ... it was ... let's just say it was unique."
Other researchers who have examined the malware have also come away impressed. Thursday, Dmitri Alperovitch, vice president of threat research at McAfee, called the attack code "very sophisticated" and added, "We've never seen anything this good in the commercial space. In [attacks on] government, yes, but not commercial."
But what does that kind of expertise mean?
Carrillo is convinced that, given the sophistication of the code, it was produced with support from Chinese authorities. "This wasn't on the level of Metasploit," Carrillo said, referring to the open-source penetration testing framework whose exploits are often used by hackers to craft malware. "This wasn't something that a 16-year-old came up in his spare time."
When asked if the code quality pointed toward Chinese state support, Carrillo answered, "I would say so." He declined to elaborate.
Mandiant was called in to investigate the attack on Google "early in the process," said Carrillo, who refused to get more specific. McAfee's Alperovitch said that time stamps in the malware's command-and-control log files indicated the attacks began in mid-December and ended Jan. 4, when the hackers' servers were shut down.
In the announcement Tuesday that its corporate network had been hacked and intellectual property stolen, Google said the attacks had been discovered in mid-December. Google also said the attacker tried to access the Gmail accounts of Chinese human rights activists, a move that -- along with increasing censorship of the Web by China's government -- has prompted it to reevaluate its business in the country.
Carrillo also provided additional information to the still-sketchy framework of the attack, saying that the exploit of a vulnerability in Microsoft's Internet Explorer was not the only vector used by the hackers. That seemed to back up Microsoft's assertion that the IE bug wasn't the sole cause of the break-ins.
And while the number of companies hit by the Chinese attacks have been reported as low as 20 to as high as 34, Carrillo said Mandiant's work indicated an even larger number may have been hit.
"Most of the time, companies find out [about such attacks] when they're contacted by third parties, like other companies or law enforcement," Carrillo said. "Until then, they're not aware they've been attacked. They don't have a clue."
But that's not a surprise in attacks like the ones that hit Google. "These [attackers] are very good at what they do," Carrillo said. "Without getting into details, their techniques allow them to masquerade as legitimate users, so traditional means of, for example, intrusion detection or antivirus security are for the most part ineffective."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to firstname.lastname@example.org or subscribe to Gregg's RSS feed .
Web giants attacked
- White House orders security review in wake of WikiLeaks disclosure
- Leaked U.S. document links China to Google attack
- Update: Researchers track cyber-espionage ring to China
- Google, China now playing cat and mouse?
- McAfee: 'Amateur' malware not used in Google attacks
- Military warns of 'increasingly active' cyber-threat from China
- China: Google 'totally wrong' to stop censoring
- Update: Google stops censoring in China
- Google's China ad partners wait in 'incomparable pain'
- Google may soon leave China, reports say
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!