Google’s threat to withdraw its operation from China has shed more light on a remarkably sophisticated computerized espionage network originating from the country, experts say.
Last night Google announced that it would no longer participate in government censorship of the Chinese version of its site, Google.cn, and threatened to shut down its operations in China altogether. In a blog post, David Drummond, senior vice president of corporate development and chief legal officer at Google, wrote that the decision was taken in response to a series of Internet attacks against Google and other companies, as well as covert Internet surveillance of human-rights activists.
Though Google has not disclosed the exact nature of the attacks, Drummond wrote: “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.” He added that the company has gathered evidence that 20 other large Internet, finance, technology, media, and chemical companies were also attacked.
In Google’s case, the attackers tried to get into Gmail accounts belonging to Chinese human-rights activists, Drummond said. The company believes that the efforts were not successful, but that hackers have been targeting human-rights activists based in other parts of the world through a range of hacking techniques.
Amichai Shulman, CTO of Imperva, a data-security company based in Redwood Shores, CA, says Google probably called the attack “highly sophisticated” because the hackers got into the heart of its database and password list. “The intellect and resources required to pull off such a surgical attack are staggering considering the defenses Google has put in place to protect digital assets,” he says.
The hackers probably used “social engineering” techniques to breach Google’s defenses, suggests Nart Villeneuve, chief research officer for the Canadian company SecDev.cyber, and the director of operations for a censorship circumvention tool called Psiphon.
In March 2009 Villeneuve uncovered “GhostNet,” a cyber-spying operation originating in China that was said to have targeted the Dalai Lama and other human-rights activists. Though Villeneuve has no direct knowledge of the attacks discovered by Google, he says it’s likely that they match the methods he has been monitoring.
Villeneuve says the hackers he has studied start by sending users within a target network system a carefully crafted e-mail full of personal information. This isn’t the same as a spam message, he says–instead it’s “someone crafting an attack.” The attacker will attach a PDF or Word document loaded with malware that compromises the user’s computer when it’s opened. Users can protect themselves to some extent with antivirus software, but Villeneuve says that such programs only identified about six out of 41 of the infected documents he has checked. Once a PC has been infected, the attacker can command it remotely.