Chinese authorities behind Google attack, researcher claims
Forensics expert who examined malware believes it's too good to have come from independent hackers
Computerworld - The malware used to hack Google is so sophisticated that researchers brought in by the company to investigate believe the attack code was designed and launched with support from Chinese authorities.
According to Carlos Carrillo, a principal consultant for Mandiant, a Washington D.C.-based security incident response and forensics firm, the attack against Google last month was "definitely one of the most sophisticated attacks I've seen in the last few years."
Mandiant was called in by Google to look into the attack, and Carrillo was the project manager for the Google investigation. During an interview Friday, he frequently chose his words carefully, saying that there was much he couldn't discuss because the work was ongoing.
"The malware was unique," Carrillo said. "It had unique characteristics ... it was ... let's just say it was unique."
Other researchers who have examined the malware have also come away impressed. Thursday, Dmitri Alperovitch, vice president of threat research at McAfee, called the attack code "very sophisticated" and added, "We've never seen anything this good in the commercial space. In [attacks on] government, yes, but not commercial."
But what does that kind of expertise mean?
Carrillo is convinced that, given the sophistication of the code, it was produced with support from Chinese authorities. "This wasn't on the level of Metasploit," Carrillo said, referring to the open-source penetration testing framework whose exploits are often used by hackers to craft malware. "This wasn't something that a 16-year-old came up in his spare time."
When asked if the code quality pointed toward Chinese state support, Carrillo answered, "I would say so." He declined to elaborate.
Mandiant was called in to investigate the attack on Google "early in the process," said Carrillo, who refused to get more specific. McAfee's Alperovitch said that time stamps in the malware's command-and-control log files indicated the attacks began in mid-December and ended Jan. 4, when the hackers' servers were shut down.
In the announcement Tuesday that its corporate network had been hacked and intellectual property stolen, Google said the attacks had been discovered in mid-December. Google also said the attacker tried to access the Gmail accounts of Chinese human rights activists, a move that -- along with increasing censorship of the Web by China's government -- has prompted it to reevaluate its business in the country.
Carrillo also provided additional information to the still-sketchy framework of the attack, saying that the exploit of a vulnerability in Microsoft's Internet Explorer was not the only vector used by the hackers. That seemed to back up Microsoft's assertion that the IE bug wasn't the sole cause of the break-ins.
And while the number of companies hit by the Chinese attacks have been reported as low as 20 to as high as 34, Carrillo said Mandiant's work indicated an even larger number may have been hit.
"Most of the time, companies find out [about such attacks] when they're contacted by third parties, like other companies or law enforcement," Carrillo said. "Until then, they're not aware they've been attacked. They don't have a clue."
But that's not a surprise in attacks like the ones that hit Google. "These [attackers] are very good at what they do," Carrillo said. "Without getting into details, their techniques allow them to masquerade as legitimate users, so traditional means of, for example, intrusion detection or antivirus security are for the most part ineffective."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to email@example.com or subscribe to Gregg's RSS feed .
Web giants attacked
- White House orders security review in wake of WikiLeaks disclosure
- Leaked U.S. document links China to Google attack
- Update: Researchers track cyber-espionage ring to China
- Google, China now playing cat and mouse?
- McAfee: 'Amateur' malware not used in Google attacks
- Military warns of 'increasingly active' cyber-threat from China
- China: Google 'totally wrong' to stop censoring
- Update: Google stops censoring in China
- Google's China ad partners wait in 'incomparable pain'
- Google may soon leave China, reports say
Read more about Security in Computerworld's Security Topic Center.
- Mission Critical: Managing Mobile Applications & Content Smartphones, tablets and other mobile devices have become embedded in enterprise processes, thanks to the consumerization of IT and a new generation of...
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Planning for Mobile Success Many organizations are seeing clear and quantifiable benefits from the deployment of mobile technologies that provide access to data and applications any time,...
- The Challenges and Opportunities of Mobile Application Development Nearly all business users now demand mobile devices--their own or company-owned--along with anywhere access to corporate applications and data. What turns mobile devices...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Knowledge Center White Papers | Webcasts