google s china affair 7892258
TRANSCRIPT
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 1/28
Google’s Ch ina AffairFrom the moment Google revealed the targeted attacks
out of China on it and 20 other companies, fingers have
been pointed and verbal volleys lobbed. While there’s no
evidence that the Chinese government was behind these
attacks, they’re nonetheless a contentious political issue.
Our coverage takes a look at both the technical and
political ramifications.
A n a l y t i c s A l e r t
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
J a n . 2 9 , 2 0
C o n t e n t s
2 Spear-Phishing Attacks Out Of China Targeted Source Code,Intellectual Property
6 Warning Signs PrecededCyberattack
8 Flaws In The ‘Aurora’ Attacks
10 Is The U.S. Afraid To Admit ThatChina Declared War On It?
12 China Defends Great Firewall
13 Google/China Reality Check AmidThe Fog Of Cyberwar
16 New Details On Targeted AttacksOn Google, Others Trickle Out
18 Direction Of Fallout?
19 China And Google: The Real Story?
20 Google Hack Code Released,Metasploit Exploit Now Available
22 Other Targets In GoogleCyberattack Surface
23 Attackers Employed IE Zero-Day
26 More Victims Come Forward
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 2/28
2 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Jan. 13, 2010
Spear-Phishing Attacks Out Of China Targeted SourceCode, Intellectual Property
By Kelly Jackson Higgins,DarkReading
The wave of targeted attacks from China on Google, Adobe, and more than 20 other U.S.
companies, which has led the search giant to consider closing its doors in China and no
longer censor search results there, began with end users at the victim organizations getting
duped by convincing spear-phishing messages with poisoned attachments.
Google and Adobe both have revealed that they were hit by these attacks, which appear to
be aimed mainly at stealing intellectual property, including source code from the victim
companies, security experts say.
So far, the other victim companies have yet to come forward and say who they are, but
some could go public later this week. Microsoft, for one, appears to be in the clear: “We
have no indication that any of our mail properties have been compromised,” a Microsoft
spokesperson said in a statement.
Google, meanwhile, first discovered in mid-December that it had been hit by a targeted
attack out of China that resulted in the theft of some of its intellectual property. The attack-
ers’ primary goal was to access the Gmail accounts of Chinese human rights activists,
according to Google: “Based on our investigation to date we believe their attack did not
achieve that objective. Only two Gmail accounts appear to have been accessed, and that
activity was limited to account information (such as the date the account was created) and
subject line, rather than the content of emails themselves,” said David Drummond, senior
VP of corporate development and chief legal officer at Google, in a blog post. Google discov-
ered that at least 20 other large companies from the Internet, finance, technology, media,
and chemical industries also had been hit by the attack, he said.
Google has said that it would stop censoring Google.cn, its Chinese search service. That
decision could lead to the shuttering of Google’s China operations, since the Chinese gov-
ernment has made censorship a condition of the company’s operation in the country.
iDefense says the attacks were primarily going after source code from many of the victim
firms, and that the attackers were working on behalf of or in the employment of officials for
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 3/28
3 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
the Chinese government. “Two independent, anonymous iDefense sources in the defense con-
tracting and intelligence consulting community confirmed that both the source IPs and drop
server of the attack correspond to a single foreign entity consisting either of agents of the
Chinese state or proxies thereof,” iDefense said in a summary it has issued on the attacks.
Eli Jellenc, head of international cyberintelligence for iDefense, which is working with some of
the victim companies, says on average the attacks had been under way for nearly a month at
those companies.
One source close to the investigation says this brand of targeted attack has actually been going
on for about three years against U.S. companies and government agencies, involving some 10different groups in China consisting of some 150,000 trained cyberattackers.
The attacks on Google, Adobe, and others started with spear-phishing email messages with
infected attachments, some PDFs, and some Office documents that lured users within the vic-
tim companies, including Google, to open what appeared to be documents from people they
knew. The documents then ran code that infected their machines, and the attackers got remote
access to those organizations via the infected systems.
Interestingly, the attackers used different malware payloads among the victims. “This is a pretty
marked jump in sophistication,” iDefense’s Jellenc says. “That level of planning is unprecedented.”
Mikko Hypponen, chief research officer at F-Secure, says a PDF file emailed to key people in
the targeted companies started the attacks. “Once opened, the PDF exploited Adobe Reader
with a zero-day vulnerability, which was patched today, and dropped a back-door [Trojan] that
connected outbound from the infected machine back to the attackers,” Hypponen says. That
then gave the attackers full access to the infected machine as well as anywhere the user’s
machine went within his or her network, he says.
Other experts with knowledge of the attacks say it wasn’t just PDFs, but Excel spreadsheets
and other types of files employed as malicious attachments. The malware used in the attackswas custom-developed, they say, based on zero-day flaws, and investigators were able to match
any “fingerprints” in the various versions of malware used in the attacks and determine that
they were related.
The attackers didn’t cast a wide spam net to get their victims like a typical botnet or spam cam-
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 4/28
4 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
paign. Sources with knowledge of the attacks say the attackers instead started out with “good
intelligence” that helped them gather the appropriate names and email addresses they used in
the email attacks. “The state sponsorship may not be financial, but it is backed with intelli-
gence,” says one source. “What we’re seeing is a blending of intelligence work plus malicious
cyberattacks.”
iDefense’s Jellenc says the attackers were able to successfully steal valuable intellectual property
from several of the victim companies.
The attack revelations came on the heels of a major Adobe patch release yesterday. According
to Adobe, it first learned of the attacks on Jan. 2. “At this time, we have no evidence to indicatethat any sensitive information -- including customer, financial, employee, or any other sensitive
data -- has been compromised. We anticipate the full investigation will take quite some time to
complete,” said an Adobe blog posting late yesterday. “We have and will continue to use infor-
mation gained from this attack to make infrastructure improvements to enhance security for
Adobe, our customers, and our partners.”
Richard Stiennon, chief research analyst for IT-Harvest, says the attacks sync with the typical
modus operandi of Chinese espionage attacks that have been going on since 2001. “This is the
same methodologies the GhostNet team used to infiltrate the Dali Lama’s networks,” Stiennon
says. In that case, the servers were based in South Korea, and the attackers were traced toChina, he says.
“Based on Google’s post, they traced back the attack to the control server and from there, found
that other companies had been infected,” Stiennon says. What’s unclear is just how Google got
into that control server, however, he notes.
So how did the attackers gather their initial intelligence for the spear-phishing attacks? One
theory is they merely did their own research via the public Web, which can be employed by
anyone doing reconnaissance. Another theory is they could have had access to, or compro-
mised, a high-level router that handles traffic to and from Google in China. “China owns therouters on which all traffic goes from outside to and from Google [there],” says one source.
“They literally own those routers.”
James Mulvenon, director of the Defense Group Inc.’s Center for Intelligence Research and
Analysis and a specialist on China, says some reports indicate that the attacks may have been a
combination of an inside job as well as outside hackers breaking into the companies.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 5/28
5 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Researchers at iDefense said the code used in attacks is different from that of the malware used
in the attacks last July that targeted 100 IT companies, but the two have similar command-and-
control (C&C) servers. Both C&C servers use the HomeLinux Dynamic DNS service and point
to IP addresses owned by a U.S.-based server hosting vendor Linode, according to a research
note issued by iDefense.
“The IP addresses in question are within the same subnet, and they are six IP addresses apart
from each other. Considering this proximity, it is possible that the two attacks are one and the
same, and that the organizations targeted in the Silicon Valley attacks have been compromised
since July,” iDefense said.
iDefense says the attack on Google, Adobe, and other companies dropped a backdoor Trojan in
the form of a Windows DLL.
Meanwhile, the attacks have brought together industry and the U.S. federal government.
Secretary of State Hillary Rodham Clinton said in a statement that she had been briefed by
Google about the attacks. “We have been briefed by Google on these allegations, which raise
very serious concerns and questions. We look to the Chinese government for an explanation,”
Clinton said. “The ability to operate with confidence in cyberspace is critical in a modern soci-
ety and economy. I will be giving an address next week on the centrality of Internet freedom in
the 21st century, and we will have further comment on this matter as the facts become clear.”
But getting to the actual people behind the attack is another story. By using a C&C architecture
akin to how botnets work, the attackers have insulated themselves.
The key to breaking that cycle is cutting off the C&C server: Gunter Ollmann, vice president of
research at Damballa, says the best way to stop this type of threat is to detect and break the
“tether of control” in the C&C channel.
“By blocking those CnC channels, the bad guys can’t remotely control your enterprise systems,
and they can’t extract the secret data they want,” Ollmann blogged today. But the closest youcan realistically get to the people behind the attacks is probably their country location, he said.
Meanwhile, security experts say the latest attacks are all about industrial espionage -- and
everyone is at risk. “Whether or not it’s an ad-hoc effort or coordinated by the government,
China is looking for anything it can get. As they get more sophisticated, they are very interest-
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 6/28
6 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
ed in source code and ways to find new vulnerabilities in software companies’ products,” IT-
Harvest’s Stiennon says.
“My message to everybody is you are all under attack.”
Robert Graham, CEO of Errata Security, says he doubts the Chinese government is directing
the attacks themselves. “The way repressive governments work is by encouraging nationalistic
groups, which do the dirty work for them,” Graham says. “This is an asymmetric fight. Google’s
response is creative: They are forcing the government to take responsibility for its policies.
Instead of the self-censorship Google has been doing, it’s forcing them to show their hand bycracking down for real on an uncensored Google results.”
The attacks demonstrate a shift, with the Chinese now brazenly going after U.S. industry inter-
ests. “They’ve gone from attacking the military and defense [such that] it benefited their state in
national security to striking at the heart of the American technology economy,” Defense Group
Inc.’s Mulvenon says.
Jan. 26, 2010
Warning Signs Preceded Cyberattack On GoogleBy John Foley, InformationWeek
The news of a cyberattack from within China on Google and other companies has prompted a
range of reactions, including Google’s decision to reassess its operations there and a rebuke
from U.S. Secretary of State Hillary Clinton. But no one should be surprised by what hap-
pened. Two months earlier, a U.S. government report warned that the private sector was sus-
ceptible to this very risk.
That report, titled “Report on the Capability of the People’s Republic of China to Conduct
Cyber Warfare and Computer Network Exploitation,” should be required reading for all busi-
nesses and government agencies. It warns that a “reactive defense model” -- one practiced by
many IT departments -- isn’t enough to ward off what’s described as a “long term, sophisticated
computer network exploitation campaign” by the Chinese military.
The 88-page opus, published in October, was prepared by Northrup Grumman’s Information
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 7/28
7 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Systems Sector for the U.S.-China Economic and Security Review Commission, which was cre-
ated 10 years ago to monitor the national security implications of trade and economic ties
between the U.S. and China.
At the time the report was issued, InformationWeek ran a story with the following headline,
“Evidence Points To China In Cyber Attacks.” To repeat, that was two months before Google
experienced its own targeted attack, which was revealed by Google’s chief legal officer David
Drummond in a Jan. 12 blog post.
In fact, since Drummond first published that, Google has gone back and provided a link to the
Northrup Grumman report. You can download it here.
The report provides a detailed overview of China’s cyberwarfare and cyberespionage strategy, a
case study in advanced cyberintrusion, a timeline of “Chinese related” cyberevents over the past
10 years, and a chronology of network exploitations against U.S. and foreign interests that were
allegedly undertaken by the Chinese government or its cohorts.
Notably, the report includes examples of socially engineered e-mail and zero-day exploits as
among China’s methods, both of which may have come into play in the December cyberattacks
on U.S. companies. In its report, Northrup Grumman writes that, while conclusive evidence is
hard to come by, it has reason to believe that Chinese security services have teamed with “eliteindividual hackers” in some cases.
The report’s authors acknowledge that details are fuzzy and hard to prove, and the Chinese
government has denied involvement in the attack on Google. Even so, new reports point to
China as a suspected source of cyberattacks on U.S. oil companies back in 2008.
There’s also this sobering assessment from Northrup Grumman: “The skill sets needed to pene-
trate a network for intelligence gathering purposes in peace time are the same skills necessary
to penetrate that network for offensive action during war time.” As I said, the report should be
required reading for senior management and IT pros in business and government alike.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 8/28
8 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Jan. 25, 2010
Flaws In The ‘Aurora’ Attack
By Kelly Jackson Higgins,DarkReading
The attackers who unleashed the recent wave of targeted attacks against Google, Adobe, and
other companies, made off with valuable intellectual property and source code, and shocked
the private sector into the reality of the potential threat of state-sponsored cyberespionage.
They also made a few missteps along the way that might have prevented far worse damage.
Security experts say while the attacks indeed were potent in their outcome, they were discov-
ered relatively quickly by Google, and the malware used to attack Google, Adobe, and other as-
yet unnamed companies wasn’t especially sophisticated nor unique other than the fact that it
was a zero-day exploit. The attacks -- which Google says came out of China -- had been under
way for, on average, nearly a month, and Google found them out in mid-December.
Chinese officials yesterday told the state-run Xinhua news agency that the government was not
involved in the attacks.
Microsoft last week issued an emergency patch intended to protect Internet Explorer from thenow infamous IE exploit code that was used to infect the front-line victims of the attacks at
Google, Adobe, and some of the other targeted firms. Now that the exploit has seen the light of
day and has been duplicated in other in-the-wild attacks since, researchers have reverse-engi-
neered it for clues about the attackers and their intentions.
Joe Stewart, director of malware research for Secureworks and the person who discovered
some Chinese-language ties to the code, says the so-called “Aurora” code has similar char-
acteristics with other malware. “It’s not incredibly sophisticated,” Stewart says. “They do put
in encryption ... and wrote an actual protocol to send binary [commands]. But that’s some-
thing we’ve seen before in a lot of malware. Still, it’s not something amateurs would do.”
The attack vector -- using a social engineering phishing message to lure the victims -- wasn’t
anything new, either. What impressed security researchers who’ve studied the code was the
outcome of the attacks, not the malware.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 9/28
9 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
“The sophistication of the Aurora attacks is less about the malware and zero-day used, and
more about the coordinated effort to target and pilfer from an estimated 33 companies in a
short period of time,” says Marc Maiffret, chief security architect for FireEye. “The exploit is
subpar on many levels as it relates to weaponized exploits, and the malware is also of less
sophistication than we have seen with even standard botnet. The fact is, these attacks show
what is commonplace and already happening every day to businesses relying on legacy AV and
IPS technologies.”
How the attackers gathered intelligence on the victim companies is still unclear, but sources
with knowledge of the events say the attackers gathered the appropriate names and email
addresses thanks to “good intelligence” that they were able to use. “The state sponsorship may
not be financial, but it is backed with intelligence,” one source said in an earlier interview.
“What we’re seeing is a blending of intelligence work plus malicious cyberattacks.”
One theory is that they merely did their own research via the public Web, which can be
employed by anyone doing reconnaissance. Another theory is they could have had access to, or
compromised, a high-level router that handles traffic to and from Google in China, according
to the source.
Maiffret and other security experts say what’s most striking is how the attackers were able to hit
so many companies at once, and that it appears they were successful in stealing what they wereafter. “That was definitely sophisticated in itself,” Maiffret says.
But there was a downside of waging these attacks en masse -- it was also fairly conspicuous.
Google has said publicly that at least 20 companies from a range of industries, including
Internet, finance, technology, media, and chemical, were among the casualties, but security
sources say it could be up to around 30.
“What was uncommon here was that they hit all of these companies at once. Frankly, that was
not particularly clever. That upped their rate of being caught,” says Al Huger, vice president of
engineering at Immunet. “That’s a hallmark of somebody not really knowing what they weredoing.”
Huger says that doesn’t necessarily mean the attacks were not state-sponsored, however. “But
whoever did it made some egregious mistakes,” he says.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 10/28
10 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Another big misstep was that the attackers apparently sent the stolen data back to one serverlocation, he says. “All it took was Google to track that server, and it could tell who else was
compromised” as well, he says. “That’s pretty bush league.”
Even so, these shortcuts may have been irrelevant to the attackers if they were satisfied with
the intellectual property they did score, experts say.
And while the focus thus far publicly has been on the infected client machines, the details are
still emerging on how exactly the attackers got the intellectual property from the victims -- and
Google and Adobe aren’t talking about that publicly. Several scenarios are possible, including
the attackers grabbing the infected machine’s user credentials, and from there diving deeper
into Google and the others, or the attackers used additional exploits to tunnel their way inside,
or a combination of the two approaches.
Still, many of the details of the attack may never come to light. Google hasn’t elaborated on its
initial revelation about the attacks, and since it appears the attackers were mostly after intellec-
tual property, if the other 20- to 30-something companies didn’t have customer data exposed in
the attacks, they won’t necessarily have to step into the spotlight and admit they were attacked,
experts say.
Meanwhile, researchers said that they’ve spotted the IE Aurora exploit code running on at least
one Chinese government Website, adding fuel to speculation about Chinese government back-ing of the attacks on Google, Adobe, and the other companies. And experts say this is yet
another indication that Chinese users may be even more vulnerable to this particular exploit
now that it’s in the wild than users in the U.S. are.
“The question is, is it CN Government sponsored for the purposes of potentially spying on its
citizens, or have gov.cn Websites been infiltrated by hackers?” blogged Zscaler researchers.
Jan. 22, 2010
Is The U.S. Afraid To Admit That China Declared War On It?
By David Berlind, InformationWeek
Had the Chinese shot intercontinental ballistic missiles into 33 U.S.-based businesses including
those in the finance and defense industries as well as the Mountain View-based headquarters of
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 11/28
11 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Google, there would be no question in anyone’s mind as to whether war had been declared on
the U.S. Is there any difference now that a Chinese government-backed organization has cyber-
attacked 33 U.S. businesses? Let’s be honest with ourselves. It was an act of war and it deserves
more of a response from the U.S. government than it is getting.
Let’s review the major events so far. First, a Chinese government-backed organization exploits a
zero-day vulnerability in Internet Explorer to cyberattack 33 U.S.-based companies. One of
those companies—Google—responds with a decision to flip a censorship switch (one that it
installed in order to run its business in China) to the off position. China responds that it will
not tolerate the breaking of its censorship laws.
On behalf of the U.S. government, Secretary of State Hillary Clinton gives an Internet freedom
speech reminding the world that everyone on the planet has certain unalienable rights to com-
munication and information. The Chinese respond by putting the U.S. on notice that Clinton’s
speech was not only untruthful with regards to the facts, but that it threatened ongoing U.S.-
China relations.
Excuse me?
The Chinese government authorizes a cyberattack against U.S. interests (at least that’s what the intel-
ligence is saying) and now, it’s lecturing us on how a speech could damage U.S.-China relations?
Let’s get a couple of things straight. If the attacks were indeed backed by the Chinese govern-
ment, then what China did was an act of war against the U.S. I don’t see how it can viewed any
other way. The attacks didn’t involve bombs, bullets, blood, or death. But this is what war in
the 21st century is going to be like. As such, it shouldn’t be China that’s putting the U.S. on
notice. It should be the other way around.
(Note: This isn’t the first time we’ve seen evidence of cyberattacks sanctioned by the Chinese gov-
ernment. See “Evidence Points To China In Cyber Attacks” at informationweek.com/china. The
story predates the Google/China incident by more than months.)
I watched Clinton’s speech and thought very highly of it. Although I wondered if it was really the
people who prepared the speech for her, I felt as though she demonstrated a command of the
Internet, software development, and the innovation that the IT industry is known for in ways that
I’ve never seen a politician at her level demonstrate. And I liked her message about the freedoms
that all people should have and how the Internet stands for connection, not division.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 12/28
12 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
But the more I think about her speech, the more I feel like the tide has turned and that, in its
response so far, the U.S. is acknowledging that China is the world’s new superpower. Clinton’s
speech may have asked the Chinese for a thorough review of the cyberattacks, but it didn’t put
China on warning. Instead, she basically asked American businesses and media outfits to take on
that role (which, in essence, is what Google is doing). Yes, the U.S. government will pitch in. She
talked about how the U.S. government is backing the development of technologies that help those
who might be censored (dissidents, human rights activists, etc.) to circumvent those controls.
But, in an act of wimpy eggshell walking, the U.S. government has not responded as though
this were an act of war. No warnings. No stiff words from President Obama to Chinese Prime
Minister Wen Jiabao (at least none that we know of). No counter-declarations of war.
Instead, it’s China warning the U.S.
How can someone looking from the outside in not conclude that the tipping point has officially
arrived? The U.S. needs China more than China needs the U.S. We need China to support our
growing national debt (or otherwise put, our indebtedness to wealthy Chinese households). We
need the Chinese to manufacture so much of what we consume. American companies are depend-
ing on the growth of the Chinese economy for their own growth because there’s nothing domesti-
cally to depend on for that. We need China to keep North Korea from blowing the planet up.
The last thing the U.S. needed was China declaring war on it, which in my opinion, is what it
has done. The U.S. government is just too chicken to admit it. Why? Because its inability to
respond in kind speaks to a new balance of world power that’s simply too frightening for the
American people to consider
Jan. 22, 2010
China Defends Great Firewall
By Paul McDougall, InformationWeek
Chinese officials took a swing at U.S. allegations that the People’s Republic launched or
sanctioned organized cyberattacks against foreign business and political rivals. Chinese
Foreign Ministry spokesman Ma Zhaoxu called remarks by U.S. Secretary of State Hillary
Clinton “harmful to Sino-American relations.”
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 13/28
13 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Clinton called on the Chinese to conduct a “thorough investigation of the cyberintrusions”
that hit Google and other Western companies in recent weeks that are believed to have
emanated from China.
“We also look for that investigation and its results to be transparent,” Clinton said, during a
speech in which Clinton called on world governments to establish policies toward a more open
Internet.
But Zhaoxu said Clinton’s singling out of China was inappropriate and misguided, and consti-
tuted an inappropriate meddling in Chinese affairs. “The Chinese Internet is open,” Zhaoxu
said in a statement posted on the Foreign Ministry’s Web site.
The tit-for-tat between senior American and Chinese diplomats is the latest salvo in a growing
conflict between the two countries over Internet freedoms.
China routinely blocks content that it deems subversive to the Communist regime and has
hacked e-mail accounts of dissidents and even foreign visitors and journalists.
U.S. officials, for their part, have urged China to scale back its Internet censorship while American
tech vendors, including Google, have sought to use their economic clout to persuade China to
respect international norms concerning privacy and the protection of intellectual property
Jan. 21, 2010
Google/China Reality Check Amid The Fog Of Cyberwar
By Gadi Evron,DarkReading
There’s no clear evidence against China so we all need to step back and take a deep breath
We’ve all heard about the Chinese attacks against Google by now. We’ve heard of Google’s moral
standing, how corporations now impact international relations, and how censorship is bad and
freedom is good. However, some important questions lost in the fog of war need to be asked.
Nobody knows for sure it was China that attacked Google and the other affected corporations,
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 14/28
14 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
and if someone does, he or she is not saying so publicly. In fact, Google CEO Eric Schmidt told
Newsweek that he has no clear evidence, but invites us to draw our own conclusions.
The evidence against China would be thrown out of any court of law, and just because we have
grown comfortable in blaming China of attacks does not mean they are behind them.
The Chinese network is a hotbed of criminal activity used by criminals around the world to
launch Internet attacks, which reduces the possibility of blaming any single attack coming from
it as state-sponsored. However, it also raises the question of why such activity has been allowed
to go on for so long.
Many networks around the world, including some inside the U.S., are just as abused by
criminals. These have been shown to be used against nation-states in past attacks, such as
with Estonia -- which I had the honor of writing the post-mortem analysis for -- and in
Georgia last year.
Looking at the current incident, Google is a trustworthy and capable corporation. However,
when making accusations one needs to provide proof. And “it feels like China” isn’t good
enough.
In the fog of war, with world news discussing the diplomatic implications for the U.S., Google’sbusiness and China’s censorship, and applauding Google’s moral stance, some important ques-
tions are left unanswered.
For some time now, cybercriminals have been winning the “war.” Security professionals can
write analyses of attacks, as well as mitigate specific attacks. But in nearly all instances we
haven’t been able to impact criminal operations. For some years, one of my beliefs has been
that we should take the offensive in the fight against cybercrime.
For reasons ranging from the criminals’ willingness to play a scorched Earth game to legal and
ethical limitations, we must be careful to not start a war the Internet can’t win. This means we
can’t use the criminals’ weapons against them.
While reporting is vague, Google has supposedly broken into a server in Taiwan (unless infor-
mation of working through Taiwanese authorities, or that someone else has done this for
Google, becomes available). If this happened, then Google broke the law in order to defend
itself from criminal activity. This should be legal, but it isn’t. Google needs to disclose exactly
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 15/28
15 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
what it has done. Ethics change, and morally I believe it is in the right. Our ethics just need to
catch up.
Another question many of us should ask is about Microsoft and the Internet Explorer Web
browser. It has been disclosed that a previously unknown software vulnerability (0day) in
Internet Explorer was what attackers used. Exploit code enabling any criminal to make use of
the vulnerability to attack has been made public, and in the past such events were followed
further exploitation. But Microsoft initially planned to patch this vulnerability in February.
Only when Germany and France issued warnings to users to not use Internet Explorer, and
ZERT considered releasing a third-party patch, did Microsoft say it would release an early patch.
While creating software updates is very complicated, and Microsoft is usually a responsible
organization, not patching this type of vulnerability for a whole month as the default response
is irresponsible and unethical. We should all call on Microsoft to act responsibly, and write our
representatives and the press about it.
Microsoft should be commended for issuing an early patch; after all, it was far from easy.
However, until such time as Microsoft announces a new policy on patching software vulnera-
bilities, it’s in my opinion unsafe to continue using Internet Explorer for surfing the Web, so
switch to one of the many alternatives, such as Mozilla’s Firefox browser.
This targeted attack, while impressive, is no new threat. Security risk assessment should
already include corporate espionage. An example for a targeted attack is the GhostNet incident,
exposed last year by Canadian researchers, demonstrating in detail how such attacks work. As
another, the public disclosure of German intelligence cyberespionage operations, showed that
indeed, everyone does it.
I call upon my fellow security professionals worldwide to refrain from creating fear when
speaking of this incident. Computers are just the most recent weapon to be used for old
motives -- espionage. Unlike cybercrime and cyberwar, it is well-recognized in law and indiplomacy, and it is not the security experts who should be called on for answers.
Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 16/28
16 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Jan. 21, 2010
New Details On Targeted Attacks On Google Trickle Out
By Kelly Jackson Higgins, DarkReading
New details about the targeted attacks against Google and other U.S. companies that resulted
in the theft of source code and other intellectual property emerged today, while Microsoft
released an emergency patch for a flaw in Internet Explorer that was exploited in those attacks.
Chenxi Wang, principal analyst for security and risk management at Forrester Research, says
Google last week instituted an emergency update to its corporate VPN, raising questions about
whether the network was in some way compromised in the attacks. But, she says, Google dis-
puted her initial analysis that the attackers gained access to Google’s server via its corporate
VPN.
“This is the first we’ve heard about the VPN involvement at Google. I’m not sure this definitely
qualifies as a VPN breach because we don’t know what the attacker did to the VPN system --
it’s possible that the attacker used the user credentials to log in through the VPN without doing
anything illegal to the VPN. Or it is possible that the attacker did attack the VPN system. ButGoogle won’t say one way or another,” Wang says.
A Google spokesperson declined to comment on Wang’s findings.
What has been made public about the attack on Google and others is that the attackers
employed social engineering via phishing emails with infected links to lure their victims. The
links contained an exploit attacking Internet Explorer 6 that dropped a Trojan onto the vic-
tim’s machine and then allowed the attacker to take control of the victim’s machine. The
exploit abuses a zero-day vulnerability that is found in all versions of Internet Explorer, but so
far has mostly been going after IE 6 machines in the wild now that the exploit code was
released publicly.
A malware researcher, meanwhile, has traced the code used in the exploit to Chinese-language
authors. While reverse-engineering a sample of the malware used in the attacks, Joe Stewart, direc-
tor of malware research at Secureworks, discovered some modules in the code have timestamps
dating back to May 2006, so the so-called Aurora malware -- a.k.a. the Hydraq Trojan -- was in the
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 17/28
17 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
works for some time, he says. He says he also found evidence that the code has Chinese origins: It
uses a unique implementation of the cyclic redundancy check (CRC) algorithm that is associated
with Chinese-language Websites.
Most of the details that have emerged about how the attackers gained access to Google’s net-
work and intellectual property have focused mainly on the IE exploit, but security experts say
several other exploits were involved in the widespread targeted attacks.
Forrester’s Wang, meanwhile, says she believes the “emergency update” to Google’s VPN infra-
structure was somehow a result of the attack. Wang first raised the possibility that Google’s
VPN was used to access its server in the attack in a blog post today -- which she has sinceupdated twice after Google first confirmed and then disputed it.
Whether the VPN update was a precautionary measure by Google or purely coincidental is
unclear as well.
Still baffling to experts is why a Google user or users would be running the older and less
secure version 6 of Microsoft’s browser. Security experts have suggested that either some non-
technical Google employees just hadn’t bothered to upgrade their browsers, or that the attack
could have targeted a Google employee working from his home machine running IE 6.
Wang says Google told her it was possible someone was running IE 6 internally for “testing
purposes.” That didn’t add up for Wang, however: “I can buy that you might be running an
older version of a browser for testing purposes (for backward compatibility), but why wasn’t
the testing environment isolated from production and from access to critical assets? Isn’t that
one of the first things you do in setting up a test environment?” she wrote in her blog post.
Whatever the reason for the old IE 6 browser, Wang says Google’s breach should serve as a
cautionary tale for other enterprises. “IT should make sure everyone is running the latest
browsers with the latest patches and latest OS -- everything -- and [a] test environment should
be entirely separate from the production environment,” she says.
Al Huger, vice president of engineering at Immunet, says the attack on Google raises legitimate
worries for other companies. “People I’ve spoken to say if Google, with arguably the brightest
security guys in the industry, can get broken into in the heartland of Silicon Valley and have
source code stolen, how secure is anybody else?”
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 18/28
18 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Jan. 20, 2010
Direction Of Fallout?
By Thomas Claburn, InformationWeek
Google’s decision to challenge China’s censorship policy is seen by a number of China experts
as a no-win situation.
As Miguel Helft puts it in a recent New York Times article, “The company’s public repudiation
of censorship in China has put the authorities there in a position where a forceful rebuke of
Google may be all but inevitable.”
The impact on Google’s other business interests in China is already evident: Google delayed the
launch of two Android phones by China Unicom until its prospects in the country become
clearer.
But Columbia Law School professor Tim Wu argues that Google’s rejection of censorship may
harm China more than Google in the long run.
In a recent panel discussion about the Google-China conflict at the New America Foundation, Wu said that blocking Google could jeopardize China’s standing in the World Trade
Organization and hinder the development of China’s information sector.
Wu hedged his comments by observing that “we are seeing the world moving away from the
global Internet to a series of national networks.”
That’s always a possibility, but turning inward hasn’t served China well in the past.
The question now before Washington, and hopefully one that Secretary of State Hillary Clinton
will address in her speech about Internet freedom, is the extent to which we will link physicaltrade with electronic trade.
If China won’t open its market to information, Western democracies ought to respond in kind
by closing their markets to Chinese goods.
But fair and open trade would be a better option for everyone.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 19/28
19 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Jan. 16, 2010
China And Google: The Real Story?
By Dave Methvin, InformationWeek
The recent announcement by Google that the company is likely to pull out of China due to a
recent hacking incident was quite a shocker. Google didn’t announce it was definitely leaving
but that it would only stay if it could offer a service uncensored by the Chinese government.
That sounds like a swan song to me.
I applaud Google for having the guts both to talk about the hacking incident and to declare
that the company won’t compromise its principles any longer. It seems that only Google want-
ed to bring up the subject, even though more than 20 technology companies were targeted in
the attack. Up to this point, all tech companies seemed to have a stay-in-China-at-all-costs pol-
icy. It’s easy to see why they’d do this: China hasn’t been much of a market for them so far, but
it seems suicidal to ignore the country when it presents such a growth opportunity. Perhaps
these past few weeks have convinced Google that as long as the current regime is in place,
there’s no hope for a pot of gold at the end of the Chinese rainbow.
Yet to me, the big story here isn’t that one company (admittedly an important technology
leader) appears to be headed out of China. It’s that China has a well-developed hacer network
targeting high-technology companies doing business both inside and outside the country.
Despite all the bowing and scraping those companies were doing to the Chinese government to
stay in the country, it wasn’t enough. China clearly won’t be happy unless it turns those com-
panies into fully cooperative branches of the government.
Let’s not forget why China wants this information. China wants to wipe out any dissenting
political thought or word. The technology that we all enjoy is unfortunately making that easier.
Whether it’s through overt cooperation or covert espionage, the infrastructure of the Internet is
giving China’s government the opportunity to exercise even more control over its people.
Clearly, any company that wants to do business in a country needs to comply with that coun-
try’s laws. China was seen as such a prize that many U.S.-based companies were willing to
overlook the oppressive Chinese government and hide behind the oak leaf that they were
merely following the laws. Now they know the government feels it need not do the same.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 20/28
20 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Jan. 16, 2010
Google Hack Code Released And Metasploit ExploitNow Available
By Kelly Jackson Higgins, DarkReading
Internet Explorer exploit code used in the so-called Aurora attacks out of China against Google
and other companies has been posted online -- and now the popular Metasploit hacking tool
has released a working exploit of the attack, as well.
The malware, which exploited a zero-day vulnerability in Internet Explorer in targeted attacks
against Google and other companies’ networks, was used to go after IE 6 browsers in the mas-
sive attacks, which ultimately resulted in the theft of intellectual property from Google and
other as-yet unnamed organizations. Adobe and Rackspace are among the companies so far
that say they were hit by the attacks, which were allegedly conducted by hackers in China.
With the IE exploit in the wild now, it could be used by other cybercriminals to go after other
organizations or users. And while Metasploit’s new exploit is meant for researchers and pene-
tration testers to gauge their vulnerability to the attack, Metasploit is still an open-source tool
that can be deployed for nefarious purposes.
“The public release of the exploit code increases the possibility of widespread attacks using the
Internet Explorer vulnerability,” George Kurtz, McAfee’s CTO, blogged late yesterday. “This
attack is especially deadly on older systems that are running XP and Internet Explorer 6.”
The IE flaw discovery has prompted the German government to recommend that its citizens no
longer use IE and instead run alternative browser until Microsoft comes up with a patch,
according to a post on Heise Security.
Researchers working on investigating the attacks say the IE malware was just one weapon usedin the attacks.
In a related development, iDefense has retracted its claims that infected PDF files were used in
the attacks on Google and others.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 21/28
21 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
“In iDefense’s press announcement regarding the recently discovered Silicon Valley compromis-
es, we stated that the attack vector was likely ‘malicious PDF file attachments delivered via
email’ and suggested that vulnerability in Adobe Reader appeared to have been exploited in
these attacks. Upon further review, we are retracting our initial assessment regarding the likely
use of Adobe vulnerabilities. There are currently no confirmed instances of vulnerability in
Adobe technologies being used in these attacks. We continue to investigate this issue,” iDefense
said in a statement.
iDefense’s statement and revelations by McAfee about its findings led other researchers to back
down from their claims of infected PDFs, as well.
Meanwhile, Microsoft provided more details on the actual vulnerability. It’s basically a memory-
corruption problem that is triggered when an attacker using JavaScript places attack code in
the memory.
Users of IE 6 on Windows XP should upgrade to a newer version of IE or enable Data
Execution Prevention (DEP), according to Microsoft. All versions of IE crash when the attack
code is opened, but you can limit the attack to just crashing the browser by disabling
JavaScript and disabling the code from executing in “freed memory,” Microsoft suggests. DEP
stops code from executing from pages of memory that aren’t designated as executable, thus
stopping the malware.
Daniel Kennedy, a partner with the Praetorian Security Group, says the attack opens a back-
door into the victim’s PC, which gives the attacker carte blanche to do whatever the user can
do. “Once the backdoor is open to the user’s PC the attacker can use it as a pivot point for
other attacks against the internal network, escalate his or her privileges, take information off
the PC, basically do anything the user can do,” Kennedy said in blog post.
He also posted a video simulating the attack, using the new Metasploit exploit module. You can
view it here.
Meanwhile, the U.S. State Department reportedly may take more formal measures against
China over the alleged attacks. State Department officials want answers from China, but thus
far have been unsuccessful in doing so in their initial meetings with Chinese officials.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 22/28
22 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Jan. 15, 2010
Other Targets In Google Cyberattack Surface
By Thomas Claburn, InformationWeek
The names of other companies targeted in the cyberattack disclosed by Google earlier this week
have started to emerge.
Google reportedly asked the other 33 companies targeted in the attack to come forward.
A Google spokesperson said the company provided technical information and that was the
extent of its communication to other affected organizations.
Adobe was the first company after Google to acknowledge that it had been targeted. It reported
recently that it had learned about “a sophisticated, coordinated attack against corporate net-
work systems managed by Adobe and other companies” at the beginning of the month.
According to an Adobe spokesperson, Adobe decided to come forward on its own.
Web hosting provider Rackspace followed suit in a blog post.
Symantec and Juniper Networks have acknowledged being targeted.
Dow Chemical and Northrop Grumman were also among the targets, according to The
Washington Post. Other reports say Yahoo! was attacked as well.
A spokesperson for Northrop Grumman declined to comment. Dow Chemical and Yahoo! did
not respond to requests for comment.
Microsoft recently acknowledged that the cyberattack leveraged an Internet Explorer vulnera-bility and issued a security advisory. It condemned the attacks and noted that its network and
online properties appear not to have been affected.
“At this time, we have no indication that Microsoft’s corporate network or our mail properties
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 23/28
23 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
were [hit] as part of these attacks,” said Mike Reavey, director of Microsoft Security Response,
in an online post.
A report in the English-language China Daily noted that Microsoft and HP failed to back
Google’s move. It includes a quote from Microsoft CEO Steve Ballmer, referring to the incident
as “the Google problem.”
Following Microsoft’s announcement, VeriSign iDefense retracted its claim that the likely attack
vector was “malicious PDF file attachments delivered via e-mail.”
The U.S. government has formally asked Chinese diplomatic officials for an explanation of theincident.
“We have had a discussion here in Washington with officials from the Embassy, where we
raised the issue,” said State Department spokesman P.J. Crowley at a recent press briefing. “As
the Secretary said, it is a serious issue. The incident raises questions about both Internet free-
dom and the security of the Internet in China. And we’ve asked them for an explanation.”
China’s Foreign Ministry Spokesperson Jiang Yu in a briefing said that “China’s Internet is
open,” and that the country “welcomes international Internet corporations to do business in
China in line with law.”
Asked about reports that U.S. Secretary of State Hillary Clinton said she would seek an expla-
nation, Jiang responded, “if the U.S. contacts us, we will reiterate our position on this issue.”
Jan. 14, 2010
Attackers Employed IE Zero-Day Against Google, Others
By Kelly Jackson Higgins, DarkReading
Attackers used a zero-day vulnerability in Internet Explorer in their targeted attacks against
Google and other companies’ networks -- and Microsoft has responded with an advisory that
helps mitigate attacks that exploit this previously unknown flaw.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 24/28
24 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Microsoft says the flaw in IE, which allows for remote code execution attacks on a victim’s
machine, was one of the attack vectors used in the wave of attacks, and, so far, it’s only being
used against IE 6 browsers. The attack occurs when a user visits a malicious or infected
Website by clicking on a link within an email or instant message, and it also could be set to
attack via banner ads, according to Microsoft.
The affected versions of the browser are IE 6 Service Pack 1 running on Microsoft Windows
2000 Service Pack 4, and IE 6, IE 7 and IE 8 on Windows XP, Windows Server 2003,
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
“Microsoft has not seen widespread customer impact, rather only targeted and limited attacksexploiting IE 6 at this time. Our teams are currently working to develop an update, and we will
take appropriate action to protect customers when the update has met the quality bar for broad
distribution. That may include releasing the update out of band,” blogged Mike Reavey, direc-
tor of the Microsoft Security Response Center.
For now, Microsoft recommends enabling the Data Execution Prevention (DEP) feature in IE,
and setting Internet security zone security settings to “high” as ways to protect against this
attack. DEP, which is a default feature in IE 8, has to be set manually in earlier versions of the
browser. A patch could be in the works as well, according to Microsoft.
And the wave of attacks out of China now has a name, too, courtesy of McAfee: Aurora.
McAfee researchers, who say they discovered the IE zero-day flaw, believe Aurora was the inter-
nal name the attackers gave the operation -- it comes from the name they used for the directory
in which their source code resided.
Dan Kaminsky, director of penetration testing for IOActive, who spoke with people familiar
with the IE malware sample that was found, says that exploit works only on IE 6 XP, but it
could be written to work “reasonably” on IE 7 and IE 8 XP. The flaw itself is a so-called dan-
gling pointer bug, which is typically stopped by the DEP feature in IE, he says. “However, there
are known ways around DEP on XP,” he says.
McAfee -- which says it was not one of the victims of the attacks -- says it discovered the IE
zero day while helping several victim companies in the wake of the attacks. Dmitri Alperovitch,
vice president of threat research at McAfee, says the attack using the IE flaw was what allowed
intruders to take over victims’ machines and then access their company networks and
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 25/28
25 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
resources. “All the user had to do was click on the link and the malware was automatically
downloaded onto their machine, and it proceeded to update itself,” Alperovitch says. “One of
the modules was a remote-control capability that allowed them to take over the machine. From
that point forward, they had access to the [victim’s] network and could do reconnaissance and
exfiltrate any data they encountered, and go after key resources.”
Alperovitch says so far this exploit has been consistent as the initial exploitation method it has
seen in the victim environments.
Experts and sources close to the investigations have said the Chinese attackers used infected
PDF attachments, as well as Excel and other types of files, to lure the victims and infect them. And Microsoft’s Reavey noted in his blog that IE was “one of several attack mechanisms” used
in the attacks.
But Alperovitch says McAfee has seen no sign of any infected PDF files. “There has been no
evidence of any Adobe PDFs or other exploitation vectors. But that’s not to say there aren’t
any,” he says, noting McAfee hasn’t seen every victim’s environment.
Meanwhile, Brad Arkin, director of product security and privacy for Adobe, blogged today that
there’s no evidence Adobe Reader or other Adobe tools were used as attack vectors against
Adobe, which, along with Google, revealed this week it was among the companies that hadbeen targeted by Chinese hackers.
“Similar to the McAfee researchers, we have not been able to obtain any evidence to indicate
that Adobe Reader or other Adobe technologies were used as the attack vector in this incident.
As far as we are aware there are no publicly known vulnerabilities in the latest versions (9.3
and 8.2) of Adobe Reader and Acrobat that we shipped on January 12, 2010,” Arkin blogged
about the attack on Adobe.
Meanwhile, McAfee’s Alperovitch says the attacks were nothing like he had seen before in the
commercial space. “We’ve seen [sophisticated] attacks in government like this, but this is themost sophisticated one I’ve seen in the commercial space,” he says.
There were several layers of encryption surrounding the exploit and other malware, as well as
obfuscation techniques to avert discovery. “There was a lot of effort put into this. It underscores
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 26/28
26 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
the threat we’re seeing in the government space, and they are coming to the commercial space”
now, he says.
“Aurora is an eye-opener,” he says.
IOActive’s Kaminsky says the big news is not there were new bugs in IE or Acrobat: “Bugs in IE
and Acrobat happen,” he says. “The interesting thing is who’s doing the attacking and what
people are doing about it.
“People aren’t surprised to see that there are potentially state-linked actors hacking into large
companies. That’s been going on for a while. But we are surprised to see that an accusation isactually being made about it and with heft behind it,” he says. “There are consequences here in
Google policy and action from the State Department, which is an unprecedented component.”
Jan. 14, 2010
More Victims Of Chinese Hacking Attacks Come Forward
By Kelly Jackson Higgins, DarkReading
The names of the other 20-plus or so companies and organizations hit by the recent wave of
attacks out of China are gradually trickling out, but with most companies still remaining tight-
lipped about whether they were hit. Among the victims coming forward is a law firm that filed
suit against the Chinese government over its censor software and Web hosting firm Rackspace.
Aside from Google and Adobe, which have said that they were hit by the attacks, published
reports have named Dow Chemical, Northrop Grumman, Symantec, and Yahoo as also being
attacked. And U.S.-based news site VerticalNews China says it was hit with a distributed
denial-of-service (DDoS) attack that originated from China.
A Northrop Grumman spokesman says the company does not comment on specific attacks,
and Symantec neither confirmed nor denied it was hit, either. “Northrop Grumman, like most
industries and government organizations, is at risk of cyberattacks ranging from the most com-
plex to the simple hacker,” the spokesman said in a statement. “Northrop Grumman has in
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 27/28
27 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
place an extremely robust, leading-edge network defense system to mitigate attacks, secure our
data, and help protect our business against disruption. As a principal member of the Defense
Industrial Base, we share our knowledge of attacks with colleagues to increase awareness and
prevent the spread of malicious activity.”
Symantec, meanwhile, said: “As the world’s largest security provider, we are the target of cyber-
attacks on a regular basis. As we do with all threats, we are thoroughly investigating this one to
ensure we are providing appropriate protection to our customers.”
Rackspace, which hosts tens of thousands of different Websites for its clients, says one of its
servers was hacked. “A server at Rackspace was compromised, disabled, and we actively assist-ed in the investigation of the cyberattack, fully cooperating with all affected parties,” the com-
pany said in a posting on its Website. “No customer data at Rackspace was compromised or
altered [in the attack].”
Meanwhile, a small law firm that represents U.S.-based CyberSitter, the software developer that
filed a $2.2 billion software piracy suit against the People’s Republic of China last week as well
as seven other computer manufacturers, was also targeted. Gipson Hoffman & Pancione was
hit Monday evening in what could be retaliation for its filing what it says is an historic intellec-
tual property suit against China on behalf of CyberSitter. CyberSitter alleges that China’s Green
Dam developers illegally copied more than 3,000 lines of code from CyberSitter’s own Internetcontent-filtering software, and that it worked with the Chinese government and other comput-
er makers to distribute more than 56 million copies of that software across China and else-
where.
Elliot Gipson, an attorney with the Los Angeles-based firm, says it’s impossible to know for
sure if this is the same attacks Google unearthed, but that it employed a similar spear-phishing
technique. “Members of the firm got emails from what looked as if they were from other mem-
bers of the firm, asking them to click on an attachment or a link,” Gipson says. Now the FBI is
investigating, he says.
The firm had already put its employees on high alert in the wake of the lawsuit it filed against
China last week. “We had warned our employees to be on guard for suspicious email,” Gipson
says. He says it appears that no one fell for the spear-phishing attack because there’s no sign
that anyone clicked on any of the links.
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m
7/27/2019 Google s China Affair 7892258
http://slidepdf.com/reader/full/google-s-china-affair-7892258 28/28
G o o g l e ’ s C h i n a A f f a i r
A n a l y t i c s A l e r t
Gipson says some of the messages contained pure links, while others came with attachments,
but he doesn’t think any of them were PDF documents.
VerticalNews China, a U.S.-based news site operated by the NewsRX publishing firm that cov-
ers news from China, was hit by a DDoS attack yesterday. “I do know that the large-scale attack
originated in China, and now that we know it can happen, we’ve taken steps to hopefully pre-
vent future disruptions,” said Susan Hasty, publisher at NewsRx, the parent company of
VerticalNews, in a statement. “We have every intention to continue coverage of vital news
about China.”
A n a l y t i c s . I n f o r m a t i o n W e e k . c o m