In a speech given yesterday at the Newseum in Washington, D.C., U.S. Secretary of State Hillary Clinton put pressure on the Chinese government to address the cyber attacks revealed recently by Google. For much of the speech, which focused largely on promoting Internet freedom, Clinton avoided mentioning China specifically. But her comments condemned Internet censorship and cyber attacks in no uncertain terms.
Clinton’s remarks paint the U.S. vision of the Internet in stark contrast to China’s. In her talk, Clinton stressed the benefits of enforcing the principles of freedom of expression, assembly, and universal access online. In contrast, China has a reputation for routinely blocking access to politically sensitive content and gathers information on dissidents via their Internet communications.
Clinton also addressed Google’s disclosure directly. “We look to the Chinese authorities to conduct a thorough review of the intrusions that led Google to make its announcement,” Clinton said.
Clinton sharply criticized Internet censorship and companies that cooperate with it. “Censorship should not be in any way accepted by any company from anywhere,” she said, warning that efforts to limit information flow create a less useful, fragmented Internet. In particular, she said that “unfettered access to search engine technology is so important in individual lives.”
She also called for more cooperation across jurisdictions when fighting Internet crime. “Countries or individuals that engage in cyber attacks should face consequences and international condemnation,” she said.
Although Google has not released details of the attacks it detected, security researchers have begun piecing information together. Though the search giant stopped short of blaming the Chinese government directly for the attacks, its decision to end cooperation with state censorship requests strongly implies that the company suspects government involvement.
Independent researchers have also begun gathering evidence that pinpoints the source of the attacks. Joe Stewart, director of malware research for the counter threat unit at an Atlanta-based security company called SecureWorks, went public this week with research suggesting a link between the malware used in the attack and research into algorithms posted on Chinese-language websites.
Stewart was analyzing the Hydraq Trojan, the worm believed to be responsible for accessing internal corporate networks at the companies that were attacked, when he found that the software used an unfamiliar algorithm to check for errors in stored or transferred data. Stewart investigated it and found that this particular implementation had only been described on Chinese-language sites, suggesting a link to hackers in mainland China.
Stewart notes that “reverse-engineering an executable binary is never conclusive,” but adds that the Trojan’s behavior also fits with that of other attacks that originated from China. However, he says he hasn’t noticed any features of the malware that suggest sophistication beyond other recent attacks.
After penetrating a system through some vulnerability, Stewart says, the Trojan installs itself to the system and tries to phone home to a control server. Once it’s connected, it can gather files and information about the network, and even take control of local systems.
Some researchers have suggested that the recent attacks were likely similar to “GhostNet,” a cyber-spying operation originating in China that was said to have targeted the Dalai Lama and other human-rights activists. For that series of attacks, hackers sent target users carefully crafted e-mails containing personal information in an attempt to convince them to click a malicious link or open an attachment loaded with malware.
Last week, the security company McAfee released news that a flaw in Microsoft’s Internet Explorer had opened the door to installing malware on some of the affected networks. Microsoft also issued a patch yesterday to close this flaw.
But some researchers have said that it remains unclear exactly how the company networks were attacked. Evgeny Morozov, a Yahoo! fellow at Georgetown University’s E.A. Walsh School of Foreign Service, says there is no entirely coherent explanation of events. The flaw in Internet Explorer alone would not have provided complete access, Morozov says. He notes that there were likely many other important features of the attacks, including how networks and files were configured. Some have even speculated that the attackers could have had help from workers within Google.
Amichai Shulman, CTO of Imperva, a data-security company based in Redwood Shores, CA, agrees that too much attention has been placed on the flaw in Internet Explorer. “Most botnets and malware don’t rely on a single vulnerability for infection,” he says. “They usually try to exploit two or three vulnerabilities at the same time.”
Even if Google pulls its operations out of China, it will still face Internet security threats, Morozov says. Revealing the cyber attacks may have given the company U.S. government support and a way out of a difficult censorship situation, he says, but “cyber attacks have become a daily nuisance that every company has to deal with. As long as Google offers important services like e-mail, it will still be a target.”