Chinese authorities behind Google attack, researcher claims
Forensics expert who examined malware believes it's too good to have come from independent hackers
Computerworld - The malware used to hack Google is so sophisticated that researchers brought in by the company to investigate believe the attack code was designed and launched with support from Chinese authorities.
According to Carlos Carrillo, a principal consultant for Mandiant, a Washington D.C.-based security incident response and forensics firm, the attack against Google last month was "definitely one of the most sophisticated attacks I've seen in the last few years."
Mandiant was called in by Google to look into the attack, and Carrillo was the project manager for the Google investigation. During an interview Friday, he frequently chose his words carefully, saying that there was much he couldn't discuss because the work was ongoing.
"The malware was unique," Carrillo said. "It had unique characteristics ... it was ... let's just say it was unique."
Other researchers who have examined the malware have also come away impressed. Thursday, Dmitri Alperovitch, vice president of threat research at McAfee, called the attack code "very sophisticated" and added, "We've never seen anything this good in the commercial space. In [attacks on] government, yes, but not commercial."
But what does that kind of expertise mean?
Carrillo is convinced that, given the sophistication of the code, it was produced with support from Chinese authorities. "This wasn't on the level of Metasploit," Carrillo said, referring to the open-source penetration testing framework whose exploits are often used by hackers to craft malware. "This wasn't something that a 16-year-old came up in his spare time."
When asked if the code quality pointed toward Chinese state support, Carrillo answered, "I would say so." He declined to elaborate.
Mandiant was called in to investigate the attack on Google "early in the process," said Carrillo, who refused to get more specific. McAfee's Alperovitch said that time stamps in the malware's command-and-control log files indicated the attacks began in mid-December and ended Jan. 4, when the hackers' servers were shut down.
In the announcement Tuesday that its corporate network had been hacked and intellectual property stolen, Google said the attacks had been discovered in mid-December. Google also said the attacker tried to access the Gmail accounts of Chinese human rights activists, a move that -- along with increasing censorship of the Web by China's government -- has prompted it to reevaluate its business in the country.
Carrillo also provided additional information to the still-sketchy framework of the attack, saying that the exploit of a vulnerability in Microsoft's Internet Explorer was not the only vector used by the hackers. That seemed to back up Microsoft's assertion that the IE bug wasn't the sole cause of the break-ins.
And while the number of companies hit by the Chinese attacks have been reported as low as 20 to as high as 34, Carrillo said Mandiant's work indicated an even larger number may have been hit.
"Most of the time, companies find out [about such attacks] when they're contacted by third parties, like other companies or law enforcement," Carrillo said. "Until then, they're not aware they've been attacked. They don't have a clue."
But that's not a surprise in attacks like the ones that hit Google. "These [attackers] are very good at what they do," Carrillo said. "Without getting into details, their techniques allow them to masquerade as legitimate users, so traditional means of, for example, intrusion detection or antivirus security are for the most part ineffective."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to email@example.com or subscribe to Gregg's RSS feed .
Web giants attacked
- White House orders security review in wake of WikiLeaks disclosure
- Leaked U.S. document links China to Google attack
- Update: Researchers track cyber-espionage ring to China
- Google, China now playing cat and mouse?
- McAfee: 'Amateur' malware not used in Google attacks
- Military warns of 'increasingly active' cyber-threat from China
- China: Google 'totally wrong' to stop censoring
- Update: Google stops censoring in China
- Google's China ad partners wait in 'incomparable pain'
- Google may soon leave China, reports say
Read more about Security in Computerworld's Security Topic Center.
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!