Computer attacks on companies happen all the time, but many of them are not publicized. The damaging result of revealing such information to the public leads to jeopardized information and creates avenues for future attacks.
Google became the latest casualty in 2010 among other companies to reveal to the public that it had faced a series of attacks originating from China. The attacks were directed at Gmail users who were human rights activists. According to Elinor Mills, the search engine said it would stop its censoring its Web results in China and could finally exit the market.
According to CNET many details on the attacks or others facing other companies are kept secret either for investigative purposes or to maintain the public image. CNET has attempted to dig dipper and obtain the following information;
Google first reported a highly sophisticated attack on its corporate networks in mid-December leading to the theft of its intellectual rights. The attack was sophisticated and targeted affecting almost 20 other companies in the field of internet, finance, technology, multimedia and chemicals.
The attack on Google was directed at Gmail accounts of Chinese human rights activists that lead to the intrusion and access of two accounts. According to Google, the contents of the emails were not exposed- only the account information such as the date the account was created was exposed.
In a separate incident, Google exposed that its accounts belonging to users in U.S.A China and Europe who are human rights advocates appear to have routinely been accessed by third parties. According to the company the threat did not originate from a security breach at Google but is suspected to have been executed through phishing scams or malware placed at the users computers.
According to researchers who investigated the attacks, they were traced back to China and shared the same characteristics with previous attacks linked to Chinese governments. The attacks utilized command and control servers in Taiwan that are associated with Chinese governments. iDefense claims that the IP addresses used to launch the attacks are known to be associated with previous groups that are either employed by the Chinese government or amateur hackers that are proxies for them and have been previously targeting U.S. companies.
The attackers used multiple exploits and multiple tailor-made Trojans for different targets. According to Microsoft, a new vulnerability in Internet Explorer was used to launch the attack. Unconfirmed reports claimed that malicious PDF targeting a hole in Adobe Reader were suspected to be the entry point. Adobe Systems reputed the claim insisting that there was no evidence to prove so.
This lead to Adobe patching a so-called “zero-day hole” in the Reader and Acrobat that was discovered earlier in mid-December. This had been exploited, in attacks, in the wild to deliver Trojan horse programs and allow backdoor access on computers.
InformationWeek security termed the Google attack in late 2009 as a counterespionage operation run by the Chinese government dubbed Operation Aurora. Former government officials acknowledge that the attacker’s successfully accessed database that flagged Gmail accounts marked for court-ordered wiretaps. It is believed that such information provided attackers with insight into active investigations headed by the FBI that included undercover Chinese operatives.
A US government official is quoted in the Washington Post “Knowing that you were subjects of an investigation allows them to take steps to destroy information, get people out of the country”. However, he continued to caution that the attack could have been subterfuge operations by Chinese intelligence that was intended to fool U.S. into believing deceiving information.
The attack was dubbed Operation Aurora by McAfee security because it employed Aurora or Hydraq Trojan horse application. According to Bruce Schneider CITO of BT, Google attackers exploited the wiretap backdoors mandated, by the US, to give access to the activist accounts. Google created a backdoor access system into the Gmail accounts of the activist accounts, and this is the feature that the Chinese attackers exploited to gain access.
Operation Aurora became the foundation to what is currently known as advanced persistent threat attacks. Symantec reported in 2012 that the Aurora gang was still in effect, in fact, with a large budget of unlimited supply of zero-day vulnerabilities. According to Symantec, “the vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent".
The Christian Science Monitor reported that cyber attacks traced from China hit US industries. This led to speculations that the attacks might have been sponsored by the Chinese government. Google announced that it was considering pulling out of the Chinese market citing highly sophisticated and targeted attacks on its corporate infrastructure.
Apart from compromise of dissident Gmail accounts and free-speech concerns, the company complaint of infringement and theft of its intellectual property rights. Sources the post reported suggesting that Google’s source code may have been the target. Google cited, in two similar reports that Chinese state-sponsored hackers were attacking the U.S. industries infrastructural systems. This was to steal proprietary data that might boost those nation’s indigenous industries. A similar report by the Canadian researchers documents that a global cyber espionage network was harvesting data to aid Chinese authorities in their fight against dissidents.
Questions are emerging as to why Google could fall a victim of such an attack with all its cyber-resources and expertise in keeping cyberspies out of its source code. If such a company could become the victim of such grievous attack with all its technical, financial and infrastructural might, what can we expect of other Fortune 500 companies?
Another disturbing trend is founded on the allegation that the attacks on Google were state-sponsored. According to CSMonitor, China and Russia have become suspects in different key cyber attacks known to comprise of large communities of hackers and computer security experts. According to Sami Saydjari, a former DOD employee who runs Defense Agency a Wisconsin Rapids-based security company, the talent pools comprise of potential recruits from professional cyber warfare units that exhibit loose affiliation with military and loose command and control. It is suspected that the hacker groups are encouraged by the government to go out and attack foreign entities.
The US-China Economic and Security Review Commission cited the sophisticated and highly orchestrated attacks on Google corporate infrastructure as a hallmark for state-sponsored efforts. The scale, focus, magnitude and complexity of the overall campaign directed at U.S. firms strongly support that the operations were state sponsored. However, the adamant denial by Chinese officials that they have nothing to do with the attacks is unsatisfying. The irony exists between the Chinese government statements that China advocates for open internet and that the law in China prohibits any kinds of cyber attacks and the revelation of state-sponsored attacks.
References
Clayton, M. (2010, January 13). China cyber attacks: Google only one of many US targets. The Christian Science Monitor.
Mills, E. ( 2010, January 13). Behind the China attacks on Google. Cnet.
Mitnick, K. (2010, January 12). Google Hacked Says it Will Stop Censoring Chinese Search Results. KrebOn security.
Schwartz, M. J. ( 2013, May 21). Google Aurora Hack Was Chinese Counterespionage Operation. InformationWeek Security.
statement, G. B. (2010, January 2). Google Defends Against Large Scale Chinese Cyber Attack:. TechCrunch.