Google’s threat to withdraw its operation from China has shed more light on a remarkably sophisticated computerized espionage network originating from the country, experts say.
Last night Google announced that it would no longer participate in government censorship of the Chinese version of its site, Google.cn, and threatened to shut down its operations in China altogether. In a blog post, David Drummond, senior vice president of corporate development and chief legal officer at Google, wrote that the decision was taken in response to a series of Internet attacks against Google and other companies, as well as covert Internet surveillance of human-rights activists.
Though Google has not disclosed the exact nature of the attacks, Drummond wrote: “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.” He added that the company has gathered evidence that 20 other large Internet, finance, technology, media, and chemical companies were also attacked.
In Google’s case, the attackers tried to get into Gmail accounts belonging to Chinese human-rights activists, Drummond said. The company believes that the efforts were not successful, but that hackers have been targeting human-rights activists based in other parts of the world through a range of hacking techniques.
Amichai Shulman, CTO of Imperva, a data-security company based in Redwood Shores, CA, says Google probably called the attack “highly sophisticated” because the hackers got into the heart of its database and password list. “The intellect and resources required to pull off such a surgical attack are staggering considering the defenses Google has put in place to protect digital assets,” he says.
The hackers probably used “social engineering” techniques to breach Google’s defenses, suggests Nart Villeneuve, chief research officer for the Canadian company SecDev.cyber, and the director of operations for a censorship circumvention tool called Psiphon.
In March 2009 Villeneuve uncovered “GhostNet,” a cyber-spying operation originating in China that was said to have targeted the Dalai Lama and other human-rights activists. Though Villeneuve has no direct knowledge of the attacks discovered by Google, he says it’s likely that they match the methods he has been monitoring.
Villeneuve says the hackers he has studied start by sending users within a target network system a carefully crafted e-mail full of personal information. This isn’t the same as a spam message, he says–instead it’s “someone crafting an attack.” The attacker will attach a PDF or Word document loaded with malware that compromises the user’s computer when it’s opened. Users can protect themselves to some extent with antivirus software, but Villeneuve says that such programs only identified about six out of 41 of the infected documents he has checked. Once a PC has been infected, the attacker can command it remotely.
Once the attackers control one computer on a network, they branch out from there, probing other computers on the same network and raiding e-mail accounts to get more ammunition for social engineering attacks. “They’re basically tricking users into exploiting themselves,” Villeneuve says, adding that perimeter defenses are useless if attackers can trick humans into handing over information or infecting themselves.
However, since many hacking groups operate using these tactics, Villeneuve says it can be devilishly hard to trace attacks back to their source. “We often don’t know [the exact details of attackers’] relationship with the Chinese government,” he says. Still, Villeneuve believes that the Chinese government would certainly stand to benefit from the activity.
Ross Anderson, a professor of security engineering at the University of Cambridge, agrees that “the sort of tricks” used against the Tibetan movement likely provide clues to the recent attacks against Google and other companies.
Shortly after Google made its announcement, Adobe posted an announcement of a “computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.” Adobe says it learned of the attack on January 2 but did not confirm that this attack was the same as the one that struck Google.
Google plans to negotiate with the Chinese government over the next few weeks to see if it is possible to run a standard version of its search engine in China. “These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the Web–have led us to conclude that we should review the feasibility of our business operations in China,” Drummond wrote.
No other major U.S. search engine has so far said it would change its operations in China. A Yahoo spokesperson said in a statement, “We stand aligned with Google that these kinds of attacks are deeply disturbing and strongly believe that the violation of user privacy is something that we as Internet pioneers must all oppose.” But the search engine was silent on the question of whether it would make any changes to its own policies. A Microsoft statement read, “We have no indication that any of our mail properties have been compromised.”