google s china affair 7892258

7/27/2019 Google s China Affair 7892258

http://slidepdf.com/reader/full/google-s-china-affair-7892258 1/28

Google’s Ch ina AffairFrom the moment Google revealed the targeted attacks

out of China on it and 20 other companies, fingers have

been pointed and verbal volleys lobbed. While there’s no

evidence that the Chinese government was behind these

attacks, they’re nonetheless a contentious political issue.

Our coverage takes a look at both the technical and

political ramifications.

A n a l y t i c s A l e r t

A n a l y t i c s . I n f o r m a t i o n W e e k . c o m

J a n . 2 9 , 2 0

C o n t e n t s

2 Spear-Phishing Attacks Out Of China Targeted Source Code,Intellectual Property

6 Warning Signs PrecededCyberattack

8 Flaws In The ‘Aurora’ Attacks

10 Is The U.S. Afraid To Admit ThatChina Declared War On It?

12 China Defends Great Firewall

13 Google/China Reality Check AmidThe Fog Of Cyberwar

16 New Details On Targeted AttacksOn Google, Others Trickle Out

18 Direction Of Fallout?

19 China And Google: The Real Story?

20 Google Hack Code Released,Metasploit Exploit Now Available

22 Other Targets In GoogleCyberattack Surface

23 Attackers Employed IE Zero-Day

26 More Victims Come Forward



2 Jan. 29, 2010 © 2010 InformationWeek, Reproduction Prohibited

G o o g l e ’ s C h i n a A f f a i r


Jan. 13, 2010

Spear-Phishing Attacks Out Of China Targeted SourceCode, Intellectual Property

By Kelly Jackson Higgins,DarkReading

The wave of targeted attacks from China on Google, Adobe, and more than 20 other U.S.

companies, which has led the search giant to consider closing its doors in China and no

longer censor search results there, began with end users at the victim organizations getting

duped by convincing spear-phishing messages with poisoned attachments.

Google and Adobe both have revealed that they were hit by these attacks, which appear to

be aimed mainly at stealing intellectual property, including source code from the victim

companies, security experts say.

So far, the other victim companies have yet to come forward and say who they are, but

some could go public later this week. Microsoft, for one, appears to be in the clear: “We

have no indication that any of our mail properties have been compromised,” a Microsoft

spokesperson said in a statement.

Google, meanwhile, first discovered in mid-December that it had been hit by a targeted

attack out of China that resulted in the theft of some of its intellectual property. The attack-

ers’ primary goal was to access the Gmail accounts of Chinese human rights activists,

according to Google: “Based on our investigation to date we believe their attack did not

achieve that objective. Only two Gmail accounts appear to have been accessed, and that

activity was limited to account information (such as the date the account was created) and

subject line, rather than the content of emails themselves,” said David Drummond, senior

VP of corporate development and chief legal officer at Google, in a blog post. Google discov-

ered that at least 20 other large companies from the Internet, finance, technology, media,

and chemical industries also had been hit by the attack, he said.

Google has said that it would stop censoring Google.cn, its Chinese search service. That

decision could lead to the shuttering of Google’s China operations, since the Chinese gov-

ernment has made censorship a condition of the company’s operation in the country.

iDefense says the attacks were primarily going after source code from many of the victim

firms, and that the attackers were working on behalf of or in the employment of officials for







the Chinese government. “Two independent, anonymous iDefense sources in the defense con-

tracting and intelligence consulting community confirmed that both the source IPs and drop

server of the attack correspond to a single foreign entity consisting either of agents of the

Chinese state or proxies thereof,” iDefense said in a summary it has issued on the attacks.

Eli Jellenc, head of international cyberintelligence for iDefense, which is working with some of

the victim companies, says on average the attacks had been under way for nearly a month at

those companies.

One source close to the investigation says this brand of targeted attack has actually been going

on for about three years against U.S. companies and government agencies, involving some 10different groups in China consisting of some 150,000 trained cyberattackers.

The attacks on Google, Adobe, and others started with spear-phishing email messages with

infected attachments, some PDFs, and some Office documents that lured users within the vic-

tim companies, including Google, to open what appeared to be documents from people they

knew. The documents then ran code that infected their machines, and the attackers got remote

access to those organizations via the infected systems.

Interestingly, the attackers used different malware payloads among the victims. “This is a pretty

marked jump in sophistication,” iDefense’s Jellenc says. “That level of planning is unprecedented.”

Mikko Hypponen, chief research officer at F-Secure, says a PDF file emailed to key people in

the targeted companies started the attacks. “Once opened, the PDF exploited Adobe Reader

with a zero-day vulnerability, which was patched today, and dropped a back-door [Trojan] that

connected outbound from the infected machine back to the attackers,” Hypponen says. That

then gave the attackers full access to the infected machine as well as anywhere the user’s

machine went within his or her network, he says.

Other experts with knowledge of the attacks say it wasn’t just PDFs, but Excel spreadsheets

and other types of files employed as malicious attachments. The malware used in the attackswas custom-developed, they say, based on zero-day flaws, and investigators were able to match

any “fingerprints” in the various versions of malware used in the attacks and determine that

they were related.

The attackers didn’t cast a wide spam net to get their victims like a typical botnet or spam cam-







paign. Sources with knowledge of the attacks say the attackers instead started out with “good

intelligence” that helped them gather the appropriate names and email addresses they used in

the email attacks. “The state sponsorship may not be financial, but it is backed with intelli-

gence,” says one source. “What we’re seeing is a blending of intelligence work plus malicious

cyberattacks.”

iDefense’s Jellenc says the attackers were able to successfully steal valuable intellectual property

from several of the victim companies.

The attack revelations came on the heels of a major Adobe patch release yesterday. According

to Adobe, it first learned of the attacks on Jan. 2. “At this time, we have no evidence to indicatethat any sensitive information -- including customer, financial, employee, or any other sensitive

data -- has been compromised. We anticipate the full investigation will take quite some time to

complete,” said an Adobe blog posting late yesterday. “We have and will continue to use infor-

mation gained from this attack to make infrastructure improvements to enhance security for

Adobe, our customers, and our partners.”

Richard Stiennon, chief research analyst for IT-Harvest, says the attacks sync with the typical

modus operandi of Chinese espionage attacks that have been going on since 2001. “This is the

same methodologies the GhostNet team used to infiltrate the Dali Lama’s networks,” Stiennon

says. In that case, the servers were based in South Korea, and the attackers were traced toChina, he says.

“Based on Google’s post, they traced back the attack to the control server and from there, found

that other companies had been infected,” Stiennon says. What’s unclear is just how Google got

into that control server, however, he notes.

So how did the attackers gather their initial intelligence for the spear-phishing attacks? One

theory is they merely did their own research via the public Web, which can be employed by

anyone doing reconnaissance. Another theory is they could have had access to, or compro-

mised, a high-level router that handles traffic to and from Google in China. “China owns therouters on which all traffic goes from outside to and from Google [there],” says one source.

“They literally own those routers.”

James Mulvenon, director of the Defense Group Inc.’s Center for Intelligence Research and

Analysis and a specialist on China, says some reports indicate that the attacks may have been a

combination of an inside job as well as outside hackers breaking into the companies.







Researchers at iDefense said the code used in attacks is different from that of the malware used

in the attacks last July that targeted 100 IT companies, but the two have similar command-and-

control (C&C) servers. Both C&C servers use the HomeLinux Dynamic DNS service and point

to IP addresses owned by a U.S.-based server hosting vendor Linode, according to a research

note issued by iDefense.

“The IP addresses in question are within the same subnet, and they are six IP addresses apart

from each other. Considering this proximity, it is possible that the two attacks are one and the

same, and that the organizations targeted in the Silicon Valley attacks have been compromised

since July,” iDefense said.

iDefense says the attack on Google, Adobe, and other companies dropped a backdoor Trojan in

the form of a Windows DLL.

Meanwhile, the attacks have brought together industry and the U.S. federal government.

Secretary of State Hillary Rodham Clinton said in a statement that she had been briefed by

Google about the attacks. “We have been briefed by Google on these allegations, which raise

very serious concerns and questions. We look to the Chinese government for an explanation,”

Clinton said. “The ability to operate with confidence in cyberspace is critical in a modern soci-

ety and economy. I will be giving an address next week on the centrality of Internet freedom in

the 21st century, and we will have further comment on this matter as the facts become clear.”

But getting to the actual people behind the attack is another story. By using a C&C architecture

akin to how botnets work, the attackers have insulated themselves.

The key to breaking that cycle is cutting off the C&C server: Gunter Ollmann, vice president of

research at Damballa, says the best way to stop this type of threat is to detect and break the

“tether of control” in the C&C channel.

“By blocking those CnC channels, the bad guys can’t remotely control your enterprise systems,

and they can’t extract the secret data they want,” Ollmann blogged today. But the closest youcan realistically get to the people behind the attacks is probably their country location, he said.

Meanwhile, security experts say the latest attacks are all about industrial espionage -- and

everyone is at risk. “Whether or not it’s an ad-hoc effort or coordinated by the government,

China is looking for anything it can get. As they get more sophisticated, they are very interest-







ed in source code and ways to find new vulnerabilities in software companies’ products,” IT-

Harvest’s Stiennon says.

“My message to everybody is you are all under attack.”

Robert Graham, CEO of Errata Security, says he doubts the Chinese government is directing

the attacks themselves. “The way repressive governments work is by encouraging nationalistic

groups, which do the dirty work for them,” Graham says. “This is an asymmetric fight. Google’s

response is creative: They are forcing the government to take responsibility for its policies.

Instead of the self-censorship Google has been doing, it’s forcing them to show their hand bycracking down for real on an uncensored Google results.”

The attacks demonstrate a shift, with the Chinese now brazenly going after U.S. industry inter-

ests. “They’ve gone from attacking the military and defense [such that] it benefited their state in

national security to striking at the heart of the American technology economy,” Defense Group

Inc.’s Mulvenon says.

Jan. 26, 2010

Warning Signs Preceded Cyberattack On GoogleBy John Foley, InformationWeek

The news of a cyberattack from within China on Google and other companies has prompted a

range of reactions, including Google’s decision to reassess its operations there and a rebuke

from U.S. Secretary of State Hillary Clinton. But no one should be surprised by what hap-

pened. Two months earlier, a U.S. government report warned that the private sector was sus-

ceptible to this very risk.

That report, titled “Report on the Capability of the People’s Republic of China to Conduct

Cyber Warfare and Computer Network Exploitation,” should be required reading for all busi-

nesses and government agencies. It warns that a “reactive defense model” -- one practiced by

many IT departments -- isn’t enough to ward off what’s described as a “long term, sophisticated

computer network exploitation campaign” by the Chinese military.

The 88-page opus, published in October, was prepared by Northrup Grumman’s Information







Systems Sector for the U.S.-China Economic and Security Review Commission, which was cre-

ated 10 years ago to monitor the national security implications of trade and economic ties

between the U.S. and China.

At the time the report was issued, InformationWeek ran a story with the following headline,

“Evidence Points To China In Cyber Attacks.” To repeat, that was two months before Google

experienced its own targeted attack, which was revealed by Google’s chief legal officer David

Drummond in a Jan. 12 blog post.

In fact, since Drummond first published that, Google has gone back and provided a link to the

Northrup Grumman report. You can download it here.

The report provides a detailed overview of China’s cyberwarfare and cyberespionage strategy, a

case study in advanced cyberintrusion, a timeline of “Chinese related” cyberevents over the past

10 years, and a chronology of network exploitations against U.S. and foreign interests that were

allegedly undertaken by the Chinese government or its cohorts.

Notably, the report includes examples of socially engineered e-mail and zero-day exploits as

among China’s methods, both of which may have come into play in the December cyberattacks

on U.S. companies. In its report, Northrup Grumman writes that, while conclusive evidence is

hard to come by, it has reason to believe that Chinese security services have teamed with “eliteindividual hackers” in some cases.

The report’s authors acknowledge that details are fuzzy and hard to prove, and the Chinese

government has denied involvement in the attack on Google. Even so, new reports point to

China as a suspected source of cyberattacks on U.S. oil companies back in 2008.

There’s also this sobering assessment from Northrup Grumman: “The skill sets needed to pene-

trate a network for intelligence gathering purposes in peace time are the same skills necessary

to penetrate that network for offensive action during war time.” As I said, the report should be

required reading for senior management and IT pros in business and government alike.







Jan. 25, 2010

Flaws In The ‘Aurora’ Attack

By Kelly Jackson Higgins,DarkReading

The attackers who unleashed the recent wave of targeted attacks against Google, Adobe, and

other companies, made off with valuable intellectual property and source code, and shocked

the private sector into the reality of the potential threat of state-sponsored cyberespionage.

They also made a few missteps along the way that might have prevented far worse damage.

Security experts say while the attacks indeed were potent in their outcome, they were discov-

ered relatively quickly by Google, and the malware used to attack Google, Adobe, and other as-

yet unnamed companies wasn’t especially sophisticated nor unique other than the fact that it

was a zero-day exploit. The attacks -- which Google says came out of China -- had been under

way for, on average, nearly a month, and Google found them out in mid-December.

Chinese officials yesterday told the state-run Xinhua news agency that the government was not

involved in the attacks.

Microsoft last week issued an emergency patch intended to protect Internet Explorer from thenow infamous IE exploit code that was used to infect the front-line victims of the attacks at

Google, Adobe, and some of the other targeted firms. Now that the exploit has seen the light of

day and has been duplicated in other in-the-wild attacks since, researchers have reverse-engi-

neered it for clues about the attackers and their intentions.

Joe Stewart, director of malware research for Secureworks and the person who discovered

some Chinese-language ties to the code, says the so-called “Aurora” code has similar char-

acteristics with other malware. “It’s not incredibly sophisticated,” Stewart says. “They do put

in encryption ... and wrote an actual protocol to send binary [commands]. But that’s some-

thing we’ve seen before in a lot of malware. Still, it’s not something amateurs would do.”

The attack vector -- using a social engineering phishing message to lure the victims -- wasn’t

anything new, either. What impressed security researchers who’ve studied the code was the

outcome of the attacks, not the malware.







“The sophistication of the Aurora attacks is less about the malware and zero-day used, and

more about the coordinated effort to target and pilfer from an estimated 33 companies in a

short period of time,” says Marc Maiffret, chief security architect for FireEye. “The exploit is

subpar on many levels as it relates to weaponized exploits, and the malware is also of less

sophistication than we have seen with even standard botnet. The fact is, these attacks show

what is commonplace and already happening every day to businesses relying on legacy AV and

IPS technologies.”

How the attackers gathered intelligence on the victim companies is still unclear, but sources

with knowledge of the events say the attackers gathered the appropriate names and email

addresses thanks to “good intelligence” that they were able to use. “The state sponsorship may

not be financial, but it is backed with intelligence,” one source said in an earlier interview.

“What we’re seeing is a blending of intelligence work plus malicious cyberattacks.”

One theory is that they merely did their own research via the public Web, which can be

employed by anyone doing reconnaissance. Another theory is they could have had access to, or

compromised, a high-level router that handles traffic to and from Google in China, according

to the source.

Maiffret and other security experts say what’s most striking is how the attackers were able to hit

so many companies at once, and that it appears they were successful in stealing what they wereafter. “That was definitely sophisticated in itself,” Maiffret says.

But there was a downside of waging these attacks en masse -- it was also fairly conspicuous.

Google has said publicly that at least 20 companies from a range of industries, including

Internet, finance, technology, media, and chemical, were among the casualties, but security

sources say it could be up to around 30.

“What was uncommon here was that they hit all of these companies at once. Frankly, that was

not particularly clever. That upped their rate of being caught,” says Al Huger, vice president of

engineering at Immunet. “That’s a hallmark of somebody not really knowing what they weredoing.”

Huger says that doesn’t necessarily mean the attacks were not state-sponsored, however. “But

whoever did it made some egregious mistakes,” he says.







Another big misstep was that the attackers apparently sent the stolen data back to one serverlocation, he says. “All it took was Google to track that server, and it could tell who else was

compromised” as well, he says. “That’s pretty bush league.”

Even so, these shortcuts may have been irrelevant to the attackers if they were satisfied with

the intellectual property they did score, experts say.

And while the focus thus far publicly has been on the infected client machines, the details are

still emerging on how exactly the attackers got the intellectual property from the victims -- and

Google and Adobe aren’t talking about that publicly. Several scenarios are possible, including

the attackers grabbing the infected machine’s user credentials, and from there diving deeper

into Google and the others, or the attackers used additional exploits to tunnel their way inside,

or a combination of the two approaches.

Still, many of the details of the attack may never come to light. Google hasn’t elaborated on its

initial revelation about the attacks, and since it appears the attackers were mostly after intellec-

tual property, if the other 20- to 30-something companies didn’t have customer data exposed in

the attacks, they won’t necessarily have to step into the spotlight and admit they were attacked,

experts say.

Meanwhile, researchers said that they’ve spotted the IE Aurora exploit code running on at least

one Chinese government Website, adding fuel to speculation about Chinese government back-ing of the attacks on Google, Adobe, and the other companies. And experts say this is yet

another indication that Chinese users may be even more vulnerable to this particular exploit

now that it’s in the wild than users in the U.S. are.

“The question is, is it CN Government sponsored for the purposes of potentially spying on its

citizens, or have gov.cn Websites been infiltrated by hackers?” blogged Zscaler researchers.

Jan. 22, 2010

Is The U.S. Afraid To Admit That China Declared War On It?

By David Berlind, InformationWeek

Had the Chinese shot intercontinental ballistic missiles into 33 U.S.-based businesses including

those in the finance and defense industries as well as the Mountain View-based headquarters of







Google, there would be no question in anyone’s mind as to whether war had been declared on

the U.S. Is there any difference now that a Chinese government-backed organization has cyber-

attacked 33 U.S. businesses? Let’s be honest with ourselves. It was an act of war and it deserves

more of a response from the U.S. government than it is getting.

Let’s review the major events so far. First, a Chinese government-backed organization exploits a

zero-day vulnerability in Internet Explorer to cyberattack 33 U.S.-based companies. One of

those companies—Google—responds with a decision to flip a censorship switch (one that it

installed in order to run its business in China) to the off position. China responds that it will

not tolerate the breaking of its censorship laws.

On behalf of the U.S. government, Secretary of State Hillary Clinton gives an Internet freedom

speech reminding the world that everyone on the planet has certain unalienable rights to com-

munication and information. The Chinese respond by putting the U.S. on notice that Clinton’s

speech was not only untruthful with regards to the facts, but that it threatened ongoing U.S.-

China relations.

Excuse me?

The Chinese government authorizes a cyberattack against U.S. interests (at least that’s what the intel-

ligence is saying) and now, it’s lecturing us on how a speech could damage U.S.-China relations?

Let’s get a couple of things straight. If the attacks were indeed backed by the Chinese govern-

ment, then what China did was an act of war against the U.S. I don’t see how it can viewed any

other way. The attacks didn’t involve bombs, bullets, blood, or death. But this is what war in

the 21st century is going to be like. As such, it shouldn’t be China that’s putting the U.S. on

notice. It should be the other way around.

(Note: This isn’t the first time we’ve seen evidence of cyberattacks sanctioned by the Chinese gov-

ernment. See “Evidence Points To China In Cyber Attacks” at informationweek.com/china. The

story predates the Google/China incident by more than months.)

I watched Clinton’s speech and thought very highly of it. Although I wondered if it was really the

people who prepared the speech for her, I felt as though she demonstrated a command of the

Internet, software development, and the innovation that the IT industry is known for in ways that

I’ve never seen a politician at her level demonstrate. And I liked her message about the freedoms

that all people should have and how the Internet stands for connection, not division.







But the more I think about her speech, the more I feel like the tide has turned and that, in its

response so far, the U.S. is acknowledging that China is the world’s new superpower. Clinton’s

speech may have asked the Chinese for a thorough review of the cyberattacks, but it didn’t put

China on warning. Instead, she basically asked American businesses and media outfits to take on

that role (which, in essence, is what Google is doing). Yes, the U.S. government will pitch in. She

talked about how the U.S. government is backing the development of technologies that help those

who might be censored (dissidents, human rights activists, etc.) to circumvent those controls.

But, in an act of wimpy eggshell walking, the U.S. government has not responded as though

this were an act of war. No warnings. No stiff words from President Obama to Chinese Prime

Minister Wen Jiabao (at least none that we know of). No counter-declarations of war.

Instead, it’s China warning the U.S.

How can someone looking from the outside in not conclude that the tipping point has officially

arrived? The U.S. needs China more than China needs the U.S. We need China to support our

growing national debt (or otherwise put, our indebtedness to wealthy Chinese households). We

need the Chinese to manufacture so much of what we consume. American companies are depend-

ing on the growth of the Chinese economy for their own growth because there’s nothing domesti-

cally to depend on for that. We need China to keep North Korea from blowing the planet up.

The last thing the U.S. needed was China declaring war on it, which in my opinion, is what it

has done. The U.S. government is just too chicken to admit it. Why? Because its inability to

respond in kind speaks to a new balance of world power that’s simply too frightening for the

American people to consider

Jan. 22, 2010

China Defends Great Firewall

By Paul McDougall, InformationWeek

Chinese officials took a swing at U.S. allegations that the People’s Republic launched or

sanctioned organized cyberattacks against foreign business and political rivals. Chinese

Foreign Ministry spokesman Ma Zhaoxu called remarks by U.S. Secretary of State Hillary

Clinton “harmful to Sino-American relations.”







Clinton called on the Chinese to conduct a “thorough investigation of the cyberintrusions”

that hit Google and other Western companies in recent weeks that are believed to have

emanated from China.

“We also look for that investigation and its results to be transparent,” Clinton said, during a

speech in which Clinton called on world governments to establish policies toward a more open

Internet.

But Zhaoxu said Clinton’s singling out of China was inappropriate and misguided, and consti-

tuted an inappropriate meddling in Chinese affairs. “The Chinese Internet is open,” Zhaoxu

said in a statement posted on the Foreign Ministry’s Web site.

The tit-for-tat between senior American and Chinese diplomats is the latest salvo in a growing

conflict between the two countries over Internet freedoms.

China routinely blocks content that it deems subversive to the Communist regime and has

hacked e-mail accounts of dissidents and even foreign visitors and journalists.

U.S. officials, for their part, have urged China to scale back its Internet censorship while American

tech vendors, including Google, have sought to use their economic clout to persuade China to

respect international norms concerning privacy and the protection of intellectual property

Jan. 21, 2010

Google/China Reality Check Amid The Fog Of Cyberwar

By Gadi Evron,DarkReading

There’s no clear evidence against China so we all need to step back and take a deep breath

We’ve all heard about the Chinese attacks against Google by now. We’ve heard of Google’s moral

standing, how corporations now impact international relations, and how censorship is bad and

freedom is good. However, some important questions lost in the fog of war need to be asked.

Nobody knows for sure it was China that attacked Google and the other affected corporations,







and if someone does, he or she is not saying so publicly. In fact, Google CEO Eric Schmidt told

Newsweek that he has no clear evidence, but invites us to draw our own conclusions.

The evidence against China would be thrown out of any court of law, and just because we have

grown comfortable in blaming China of attacks does not mean they are behind them.

The Chinese network is a hotbed of criminal activity used by criminals around the world to

launch Internet attacks, which reduces the possibility of blaming any single attack coming from

it as state-sponsored. However, it also raises the question of why such activity has been allowed

to go on for so long.

Many networks around the world, including some inside the U.S., are just as abused by

criminals. These have been shown to be used against nation-states in past attacks, such as

with Estonia -- which I had the honor of writing the post-mortem analysis for -- and in

Georgia last year.

Looking at the current incident, Google is a trustworthy and capable corporation. However,

when making accusations one needs to provide proof. And “it feels like China” isn’t good

enough.

In the fog of war, with world news discussing the diplomatic implications for the U.S., Google’sbusiness and China’s censorship, and applauding Google’s moral stance, some important ques-

tions are left unanswered.

For some time now, cybercriminals have been winning the “war.” Security professionals can

write analyses of attacks, as well as mitigate specific attacks. But in nearly all instances we

haven’t been able to impact criminal operations. For some years, one of my beliefs has been

that we should take the offensive in the fight against cybercrime.

For reasons ranging from the criminals’ willingness to play a scorched Earth game to legal and

ethical limitations, we must be careful to not start a war the Internet can’t win. This means we

can’t use the criminals’ weapons against them.

While reporting is vague, Google has supposedly broken into a server in Taiwan (unless infor-

mation of working through Taiwanese authorities, or that someone else has done this for

Google, becomes available). If this happened, then Google broke the law in order to defend

itself from criminal activity. This should be legal, but it isn’t. Google needs to disclose exactly







what it has done. Ethics change, and morally I believe it is in the right. Our ethics just need to

catch up.

Another question many of us should ask is about Microsoft and the Internet Explorer Web

browser. It has been disclosed that a previously unknown software vulnerability (0day) in

Internet Explorer was what attackers used. Exploit code enabling any criminal to make use of

the vulnerability to attack has been made public, and in the past such events were followed

further exploitation. But Microsoft initially planned to patch this vulnerability in February.

Only when Germany and France issued warnings to users to not use Internet Explorer, and

ZERT considered releasing a third-party patch, did Microsoft say it would release an early patch.

While creating software updates is very complicated, and Microsoft is usually a responsible

organization, not patching this type of vulnerability for a whole month as the default response

is irresponsible and unethical. We should all call on Microsoft to act responsibly, and write our

representatives and the press about it.

Microsoft should be commended for issuing an early patch; after all, it was far from easy.

However, until such time as Microsoft announces a new policy on patching software vulnera-

bilities, it’s in my opinion unsafe to continue using Internet Explorer for surfing the Web, so

switch to one of the many alternatives, such as Mozilla’s Firefox browser.

This targeted attack, while impressive, is no new threat. Security risk assessment should

already include corporate espionage. An example for a targeted attack is the GhostNet incident,

exposed last year by Canadian researchers, demonstrating in detail how such attacks work. As

another, the public disclosure of German intelligence cyberespionage operations, showed that

indeed, everyone does it.

I call upon my fellow security professionals worldwide to refrain from creating fear when

speaking of this incident. Computers are just the most recent weapon to be used for old

motives -- espionage. Unlike cybercrime and cyberwar, it is well-recognized in law and indiplomacy, and it is not the security experts who should be called on for answers.

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.







Jan. 21, 2010

New Details On Targeted Attacks On Google Trickle Out

By Kelly Jackson Higgins, DarkReading

New details about the targeted attacks against Google and other U.S. companies that resulted

in the theft of source code and other intellectual property emerged today, while Microsoft

released an emergency patch for a flaw in Internet Explorer that was exploited in those attacks.

Chenxi Wang, principal analyst for security and risk management at Forrester Research, says

Google last week instituted an emergency update to its corporate VPN, raising questions about

whether the network was in some way compromised in the attacks. But, she says, Google dis-

puted her initial analysis that the attackers gained access to Google’s server via its corporate

VPN.

“This is the first we’ve heard about the VPN involvement at Google. I’m not sure this definitely

qualifies as a VPN breach because we don’t know what the attacker did to the VPN system --

it’s possible that the attacker used the user credentials to log in through the VPN without doing

anything illegal to the VPN. Or it is possible that the attacker did attack the VPN system. ButGoogle won’t say one way or another,” Wang says.

A Google spokesperson declined to comment on Wang’s findings.

What has been made public about the attack on Google and others is that the attackers

employed social engineering via phishing emails with infected links to lure their victims. The

links contained an exploit attacking Internet Explorer 6 that dropped a Trojan onto the vic-

tim’s machine and then allowed the attacker to take control of the victim’s machine. The

exploit abuses a zero-day vulnerability that is found in all versions of Internet Explorer, but so

far has mostly been going after IE 6 machines in the wild now that the exploit code was

released publicly.

A malware researcher, meanwhile, has traced the code used in the exploit to Chinese-language

authors. While reverse-engineering a sample of the malware used in the attacks, Joe Stewart, direc-

tor of malware research at Secureworks, discovered some modules in the code have timestamps

dating back to May 2006, so the so-called Aurora malware -- a.k.a. the Hydraq Trojan -- was in the







works for some time, he says. He says he also found evidence that the code has Chinese origins: It

uses a unique implementation of the cyclic redundancy check (CRC) algorithm that is associated

with Chinese-language Websites.

Most of the details that have emerged about how the attackers gained access to Google’s net-

work and intellectual property have focused mainly on the IE exploit, but security experts say

several other exploits were involved in the widespread targeted attacks.

Forrester’s Wang, meanwhile, says she believes the “emergency update” to Google’s VPN infra-

structure was somehow a result of the attack. Wang first raised the possibility that Google’s

VPN was used to access its server in the attack in a blog post today -- which she has sinceupdated twice after Google first confirmed and then disputed it.

Whether the VPN update was a precautionary measure by Google or purely coincidental is

unclear as well.

Still baffling to experts is why a Google user or users would be running the older and less

secure version 6 of Microsoft’s browser. Security experts have suggested that either some non-

technical Google employees just hadn’t bothered to upgrade their browsers, or that the attack

could have targeted a Google employee working from his home machine running IE 6.

Wang says Google told her it was possible someone was running IE 6 internally for “testing

purposes.” That didn’t add up for Wang, however: “I can buy that you might be running an

older version of a browser for testing purposes (for backward compatibility), but why wasn’t

the testing environment isolated from production and from access to critical assets? Isn’t that

one of the first things you do in setting up a test environment?” she wrote in her blog post.

Whatever the reason for the old IE 6 browser, Wang says Google’s breach should serve as a

cautionary tale for other enterprises. “IT should make sure everyone is running the latest

browsers with the latest patches and latest OS -- everything -- and [a] test environment should

be entirely separate from the production environment,” she says.

Al Huger, vice president of engineering at Immunet, says the attack on Google raises legitimate

worries for other companies. “People I’ve spoken to say if Google, with arguably the brightest

security guys in the industry, can get broken into in the heartland of Silicon Valley and have

source code stolen, how secure is anybody else?”







Jan. 20, 2010

Direction Of Fallout?

By Thomas Claburn, InformationWeek

Google’s decision to challenge China’s censorship policy is seen by a number of China experts

as a no-win situation.

As Miguel Helft puts it in a recent New York Times article, “The company’s public repudiation

of censorship in China has put the authorities there in a position where a forceful rebuke of

Google may be all but inevitable.”

The impact on Google’s other business interests in China is already evident: Google delayed the

launch of two Android phones by China Unicom until its prospects in the country become

clearer.

But Columbia Law School professor Tim Wu argues that Google’s rejection of censorship may

harm China more than Google in the long run.

In a recent panel discussion about the Google-China conflict at the New America Foundation, Wu said that blocking Google could jeopardize China’s standing in the World Trade

Organization and hinder the development of China’s information sector.

Wu hedged his comments by observing that “we are seeing the world moving away from the

global Internet to a series of national networks.”

That’s always a possibility, but turning inward hasn’t served China well in the past.

The question now before Washington, and hopefully one that Secretary of State Hillary Clinton

will address in her speech about Internet freedom, is the extent to which we will link physicaltrade with electronic trade.

If China won’t open its market to information, Western democracies ought to respond in kind

by closing their markets to Chinese goods.

But fair and open trade would be a better option for everyone.







Jan. 16, 2010

China And Google: The Real Story?

By Dave Methvin, InformationWeek

The recent announcement by Google that the company is likely to pull out of China due to a

recent hacking incident was quite a shocker. Google didn’t announce it was definitely leaving

but that it would only stay if it could offer a service uncensored by the Chinese government.

That sounds like a swan song to me.

I applaud Google for having the guts both to talk about the hacking incident and to declare

that the company won’t compromise its principles any longer. It seems that only Google want-

ed to bring up the subject, even though more than 20 technology companies were targeted in

the attack. Up to this point, all tech companies seemed to have a stay-in-China-at-all-costs pol-

icy. It’s easy to see why they’d do this: China hasn’t been much of a market for them so far, but

it seems suicidal to ignore the country when it presents such a growth opportunity. Perhaps

these past few weeks have convinced Google that as long as the current regime is in place,

there’s no hope for a pot of gold at the end of the Chinese rainbow.

Yet to me, the big story here isn’t that one company (admittedly an important technology

leader) appears to be headed out of China. It’s that China has a well-developed hacer network

targeting high-technology companies doing business both inside and outside the country.

Despite all the bowing and scraping those companies were doing to the Chinese government to

stay in the country, it wasn’t enough. China clearly won’t be happy unless it turns those com-

panies into fully cooperative branches of the government.

Let’s not forget why China wants this information. China wants to wipe out any dissenting

political thought or word. The technology that we all enjoy is unfortunately making that easier.

Whether it’s through overt cooperation or covert espionage, the infrastructure of the Internet is

giving China’s government the opportunity to exercise even more control over its people.

Clearly, any company that wants to do business in a country needs to comply with that coun-

try’s laws. China was seen as such a prize that many U.S.-based companies were willing to

overlook the oppressive Chinese government and hide behind the oak leaf that they were

merely following the laws. Now they know the government feels it need not do the same.







Jan. 16, 2010

Google Hack Code Released And Metasploit ExploitNow Available


Internet Explorer exploit code used in the so-called Aurora attacks out of China against Google

and other companies has been posted online -- and now the popular Metasploit hacking tool

has released a working exploit of the attack, as well.

The malware, which exploited a zero-day vulnerability in Internet Explorer in targeted attacks

against Google and other companies’ networks, was used to go after IE 6 browsers in the mas-

sive attacks, which ultimately resulted in the theft of intellectual property from Google and

other as-yet unnamed organizations. Adobe and Rackspace are among the companies so far

that say they were hit by the attacks, which were allegedly conducted by hackers in China.

With the IE exploit in the wild now, it could be used by other cybercriminals to go after other

organizations or users. And while Metasploit’s new exploit is meant for researchers and pene-

tration testers to gauge their vulnerability to the attack, Metasploit is still an open-source tool

that can be deployed for nefarious purposes.

“The public release of the exploit code increases the possibility of widespread attacks using the

Internet Explorer vulnerability,” George Kurtz, McAfee’s CTO, blogged late yesterday. “This

attack is especially deadly on older systems that are running XP and Internet Explorer 6.”

The IE flaw discovery has prompted the German government to recommend that its citizens no

longer use IE and instead run alternative browser until Microsoft comes up with a patch,

according to a post on Heise Security.

Researchers working on investigating the attacks say the IE malware was just one weapon usedin the attacks.

In a related development, iDefense has retracted its claims that infected PDF files were used in

the attacks on Google and others.







“In iDefense’s press announcement regarding the recently discovered Silicon Valley compromis-

es, we stated that the attack vector was likely ‘malicious PDF file attachments delivered via

email’ and suggested that vulnerability in Adobe Reader appeared to have been exploited in

these attacks. Upon further review, we are retracting our initial assessment regarding the likely

use of Adobe vulnerabilities. There are currently no confirmed instances of vulnerability in

Adobe technologies being used in these attacks. We continue to investigate this issue,” iDefense

said in a statement.

iDefense’s statement and revelations by McAfee about its findings led other researchers to back

down from their claims of infected PDFs, as well.

Meanwhile, Microsoft provided more details on the actual vulnerability. It’s basically a memory-

corruption problem that is triggered when an attacker using JavaScript places attack code in

the memory.

Users of IE 6 on Windows XP should upgrade to a newer version of IE or enable Data

Execution Prevention (DEP), according to Microsoft. All versions of IE crash when the attack

code is opened, but you can limit the attack to just crashing the browser by disabling

JavaScript and disabling the code from executing in “freed memory,” Microsoft suggests. DEP

stops code from executing from pages of memory that aren’t designated as executable, thus

stopping the malware.

Daniel Kennedy, a partner with the Praetorian Security Group, says the attack opens a back-

door into the victim’s PC, which gives the attacker carte blanche to do whatever the user can

do. “Once the backdoor is open to the user’s PC the attacker can use it as a pivot point for

other attacks against the internal network, escalate his or her privileges, take information off

the PC, basically do anything the user can do,” Kennedy said in blog post.

He also posted a video simulating the attack, using the new Metasploit exploit module. You can

view it here.

Meanwhile, the U.S. State Department reportedly may take more formal measures against

China over the alleged attacks. State Department officials want answers from China, but thus

far have been unsuccessful in doing so in their initial meetings with Chinese officials.







Jan. 15, 2010

Other Targets In Google Cyberattack Surface

By Thomas Claburn, InformationWeek

The names of other companies targeted in the cyberattack disclosed by Google earlier this week

have started to emerge.

Google reportedly asked the other 33 companies targeted in the attack to come forward.

A Google spokesperson said the company provided technical information and that was the

extent of its communication to other affected organizations.

Adobe was the first company after Google to acknowledge that it had been targeted. It reported

recently that it had learned about “a sophisticated, coordinated attack against corporate net-

work systems managed by Adobe and other companies” at the beginning of the month.

According to an Adobe spokesperson, Adobe decided to come forward on its own.

Web hosting provider Rackspace followed suit in a blog post.

Symantec and Juniper Networks have acknowledged being targeted.

Dow Chemical and Northrop Grumman were also among the targets, according to The

Washington Post. Other reports say Yahoo! was attacked as well.

A spokesperson for Northrop Grumman declined to comment. Dow Chemical and Yahoo! did

not respond to requests for comment.

Microsoft recently acknowledged that the cyberattack leveraged an Internet Explorer vulnera-bility and issued a security advisory. It condemned the attacks and noted that its network and

online properties appear not to have been affected.

“At this time, we have no indication that Microsoft’s corporate network or our mail properties







were [hit] as part of these attacks,” said Mike Reavey, director of Microsoft Security Response,

in an online post.

A report in the English-language China Daily noted that Microsoft and HP failed to back

Google’s move. It includes a quote from Microsoft CEO Steve Ballmer, referring to the incident

as “the Google problem.”

Following Microsoft’s announcement, VeriSign iDefense retracted its claim that the likely attack

vector was “malicious PDF file attachments delivered via e-mail.”

The U.S. government has formally asked Chinese diplomatic officials for an explanation of theincident.

“We have had a discussion here in Washington with officials from the Embassy, where we

raised the issue,” said State Department spokesman P.J. Crowley at a recent press briefing. “As

the Secretary said, it is a serious issue. The incident raises questions about both Internet free-

dom and the security of the Internet in China. And we’ve asked them for an explanation.”

China’s Foreign Ministry Spokesperson Jiang Yu in a briefing said that “China’s Internet is

open,” and that the country “welcomes international Internet corporations to do business in

China in line with law.”

Asked about reports that U.S. Secretary of State Hillary Clinton said she would seek an expla-

nation, Jiang responded, “if the U.S. contacts us, we will reiterate our position on this issue.”

Jan. 14, 2010

Attackers Employed IE Zero-Day Against Google, Others


Attackers used a zero-day vulnerability in Internet Explorer in their targeted attacks against

Google and other companies’ networks -- and Microsoft has responded with an advisory that

helps mitigate attacks that exploit this previously unknown flaw.







Microsoft says the flaw in IE, which allows for remote code execution attacks on a victim’s

machine, was one of the attack vectors used in the wave of attacks, and, so far, it’s only being

used against IE 6 browsers. The attack occurs when a user visits a malicious or infected

Website by clicking on a link within an email or instant message, and it also could be set to

attack via banner ads, according to Microsoft.

The affected versions of the browser are IE 6 Service Pack 1 running on Microsoft Windows

2000 Service Pack 4, and IE 6, IE 7 and IE 8 on Windows XP, Windows Server 2003,

Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

“Microsoft has not seen widespread customer impact, rather only targeted and limited attacksexploiting IE 6 at this time. Our teams are currently working to develop an update, and we will

take appropriate action to protect customers when the update has met the quality bar for broad

distribution. That may include releasing the update out of band,” blogged Mike Reavey, direc-

tor of the Microsoft Security Response Center.

For now, Microsoft recommends enabling the Data Execution Prevention (DEP) feature in IE,

and setting Internet security zone security settings to “high” as ways to protect against this

attack. DEP, which is a default feature in IE 8, has to be set manually in earlier versions of the

browser. A patch could be in the works as well, according to Microsoft.

And the wave of attacks out of China now has a name, too, courtesy of McAfee: Aurora.

McAfee researchers, who say they discovered the IE zero-day flaw, believe Aurora was the inter-

nal name the attackers gave the operation -- it comes from the name they used for the directory

in which their source code resided.

Dan Kaminsky, director of penetration testing for IOActive, who spoke with people familiar

with the IE malware sample that was found, says that exploit works only on IE 6 XP, but it

could be written to work “reasonably” on IE 7 and IE 8 XP. The flaw itself is a so-called dan-

gling pointer bug, which is typically stopped by the DEP feature in IE, he says. “However, there

are known ways around DEP on XP,” he says.

McAfee -- which says it was not one of the victims of the attacks -- says it discovered the IE

zero day while helping several victim companies in the wake of the attacks. Dmitri Alperovitch,

vice president of threat research at McAfee, says the attack using the IE flaw was what allowed

intruders to take over victims’ machines and then access their company networks and







resources. “All the user had to do was click on the link and the malware was automatically

downloaded onto their machine, and it proceeded to update itself,” Alperovitch says. “One of

the modules was a remote-control capability that allowed them to take over the machine. From

that point forward, they had access to the [victim’s] network and could do reconnaissance and

exfiltrate any data they encountered, and go after key resources.”

Alperovitch says so far this exploit has been consistent as the initial exploitation method it has

seen in the victim environments.

Experts and sources close to the investigations have said the Chinese attackers used infected

PDF attachments, as well as Excel and other types of files, to lure the victims and infect them. And Microsoft’s Reavey noted in his blog that IE was “one of several attack mechanisms” used

in the attacks.

But Alperovitch says McAfee has seen no sign of any infected PDF files. “There has been no

evidence of any Adobe PDFs or other exploitation vectors. But that’s not to say there aren’t

any,” he says, noting McAfee hasn’t seen every victim’s environment.

Meanwhile, Brad Arkin, director of product security and privacy for Adobe, blogged today that

there’s no evidence Adobe Reader or other Adobe tools were used as attack vectors against

Adobe, which, along with Google, revealed this week it was among the companies that hadbeen targeted by Chinese hackers.

“Similar to the McAfee researchers, we have not been able to obtain any evidence to indicate

that Adobe Reader or other Adobe technologies were used as the attack vector in this incident.

As far as we are aware there are no publicly known vulnerabilities in the latest versions (9.3

and 8.2) of Adobe Reader and Acrobat that we shipped on January 12, 2010,” Arkin blogged

about the attack on Adobe.

Meanwhile, McAfee’s Alperovitch says the attacks were nothing like he had seen before in the

commercial space. “We’ve seen [sophisticated] attacks in government like this, but this is themost sophisticated one I’ve seen in the commercial space,” he says.

There were several layers of encryption surrounding the exploit and other malware, as well as

obfuscation techniques to avert discovery. “There was a lot of effort put into this. It underscores







the threat we’re seeing in the government space, and they are coming to the commercial space”

now, he says.

“Aurora is an eye-opener,” he says.

IOActive’s Kaminsky says the big news is not there were new bugs in IE or Acrobat: “Bugs in IE

and Acrobat happen,” he says. “The interesting thing is who’s doing the attacking and what

people are doing about it.

“People aren’t surprised to see that there are potentially state-linked actors hacking into large

companies. That’s been going on for a while. But we are surprised to see that an accusation isactually being made about it and with heft behind it,” he says. “There are consequences here in

Google policy and action from the State Department, which is an unprecedented component.”

Jan. 14, 2010

More Victims Of Chinese Hacking Attacks Come Forward


The names of the other 20-plus or so companies and organizations hit by the recent wave of

attacks out of China are gradually trickling out, but with most companies still remaining tight-

lipped about whether they were hit. Among the victims coming forward is a law firm that filed

suit against the Chinese government over its censor software and Web hosting firm Rackspace.

Aside from Google and Adobe, which have said that they were hit by the attacks, published

reports have named Dow Chemical, Northrop Grumman, Symantec, and Yahoo as also being

attacked. And U.S.-based news site VerticalNews China says it was hit with a distributed

denial-of-service (DDoS) attack that originated from China.

A Northrop Grumman spokesman says the company does not comment on specific attacks,

and Symantec neither confirmed nor denied it was hit, either. “Northrop Grumman, like most

industries and government organizations, is at risk of cyberattacks ranging from the most com-

plex to the simple hacker,” the spokesman said in a statement. “Northrop Grumman has in







place an extremely robust, leading-edge network defense system to mitigate attacks, secure our

data, and help protect our business against disruption. As a principal member of the Defense

Industrial Base, we share our knowledge of attacks with colleagues to increase awareness and

prevent the spread of malicious activity.”

Symantec, meanwhile, said: “As the world’s largest security provider, we are the target of cyber-

attacks on a regular basis. As we do with all threats, we are thoroughly investigating this one to

ensure we are providing appropriate protection to our customers.”

Rackspace, which hosts tens of thousands of different Websites for its clients, says one of its

servers was hacked. “A server at Rackspace was compromised, disabled, and we actively assist-ed in the investigation of the cyberattack, fully cooperating with all affected parties,” the com-

pany said in a posting on its Website. “No customer data at Rackspace was compromised or

altered [in the attack].”

Meanwhile, a small law firm that represents U.S.-based CyberSitter, the software developer that

filed a $2.2 billion software piracy suit against the People’s Republic of China last week as well

as seven other computer manufacturers, was also targeted. Gipson Hoffman & Pancione was

hit Monday evening in what could be retaliation for its filing what it says is an historic intellec-

tual property suit against China on behalf of CyberSitter. CyberSitter alleges that China’s Green

Dam developers illegally copied more than 3,000 lines of code from CyberSitter’s own Internetcontent-filtering software, and that it worked with the Chinese government and other comput-

er makers to distribute more than 56 million copies of that software across China and else-

where.

Elliot Gipson, an attorney with the Los Angeles-based firm, says it’s impossible to know for

sure if this is the same attacks Google unearthed, but that it employed a similar spear-phishing

technique. “Members of the firm got emails from what looked as if they were from other mem-

bers of the firm, asking them to click on an attachment or a link,” Gipson says. Now the FBI is

investigating, he says.

The firm had already put its employees on high alert in the wake of the lawsuit it filed against

China last week. “We had warned our employees to be on guard for suspicious email,” Gipson

says. He says it appears that no one fell for the spear-phishing attack because there’s no sign

that anyone clicked on any of the links.






Gipson says some of the messages contained pure links, while others came with attachments,

but he doesn’t think any of them were PDF documents.

VerticalNews China, a U.S.-based news site operated by the NewsRX publishing firm that cov-

ers news from China, was hit by a DDoS attack yesterday. “I do know that the large-scale attack

originated in China, and now that we know it can happen, we’ve taken steps to hopefully pre-

vent future disruptions,” said Susan Hasty, publisher at NewsRx, the parent company of

VerticalNews, in a statement. “We have every intention to continue coverage of vital news

about China.”


google s china affair 7892258

Documents