Verisign iDefense. The attacks, revealed yesterday via a posting on Google's official blog, were hacking attempts on the technology infrastructure of Google and other major corporations in sectors that included finance, technology, media and chemical, said Dave Girouard, president of Google Enterprise.More sources are now claiming the Chinese government is behind the recent cyberattacks against Google and 33 other Silicon Valley companies, reports security firm
Although Google's politely-worded blog post doesn't come out and directly blame the Chinese government for these attacks, many have suspected that is the case, including, apparently, Secretary of State Hillary Clinton. Now even more sources are coming out to confirm the Chinese government's involvement. According to Verisign, their sources within the defense-contracting and intelligence-consulting communities also believe "agents of the Chinese state or proxies thereof" are to blame for these recent attacks.
About the Attacks
Google has stated that the attackers unsuccessfully attempted to access the Gmail accounts of Chinese human rights activists. However, only two Gmail accounts were accessed and only account information and the email subject lines were seen, not the content of the emails themselves. The company also said that at least 20 other large companies were attacked as well. Now Verisign reports that number is 33.
In light of these attacks, Google boldly declared they are reconsidering their decision to do business in China - a surprising turn for the Internet giant who once claimed that operating in China didn't violate the company's motto, "Don't be evil," despite the fact that it required censoring search results according to the Chinese government's wishes. That controversial act, though hotly debated at the time, was not all that surprising. Many Western firms ultimately have to cave in to Chinese demands in order to gain access to the 300 million plus Internet users the country holds. Google, for all their proclaimed high ideals, appeared to be no exception.
The company has changed its course, stating that they will no longer censor the search results for their Chinese portal google.cn, launched in 2006 with the lofty goal of providing reliable access to information, albeit filtered information, for millions of Chinese citizens. Google is leaving the next move up to the Chinese government. If officials do not accept Google's decision to provide unfiltered information, Google says they will have to withdraw from the country.
Policy Change Hints at Government Involvement in Attacks
So what has changed between then and now? The Chinese government hasn't altered their position on Internet censorship, nor have they asked Google to make any changes to the agreement already in place. Many immediately suspected that the sole reason for Google's decision has to do with the attacks themselves - attacks that hint at government involvement.
According to Verisign's sources, that does appear to be the case. The company says they've confirmed with two independent sources that both the source IPs and drop server (the server used to host malicious code and store the stolen files) of the attack correspond to a single foreign entity consisting of either agents of the Chinese state or those acting on their behalf.
Verisign also notes that these recent attacks resemble a similar July 2009 incident against 100 or so IT-focused companies. At that time, the hacks involved an emailed PDF file that contained an unpatched Adobe Reader vulnerability, which allowed the attackers to deliver the malicious code. That vulnerability remained unpatched until just yesterday, notes Rick Howard, director of security intelligence for VeriSign iDefense.
While July's attacks were detected early and were largely uneventful, December's attacks did find some success. In addition, these same sources claim that the files in both cases share similar characteristics. For example, both attacks used a backdoor Trojan in the form of a Windows DLL, and both share two similar hosts for the command-and-control (C&C) communication. In layman's terms, if the cyberattack was a ground assault during a war, the C&C would be the general barking out the orders. Also in both incidents, the IP addresses used for C&C are in the same subnet and only six addresses apart from each other. That means both attacks are likely to have been instigated by the same entity and may imply that the recent victims' technology infrastructure has been compromised since July.
While none of these findings are a true smoking gun pointing to the Chinese government, it is believed that China encourages their hacker community to attack foreign entities while publicly denying any involvement in such attacks. That may be the case now. Or it could be that this time, the attacks are not just being state-permitted, they're being state-directed.
UPDATE: iDefense has now issued the following retraction:
"In iDefense's press announcement regarding the recently discovered Silicon Valley compromises, we stated that the attack vector was likely "malicious PDF file attachments delivered via email" and suggested that a vulnerability in Adobe Reader appeared to have been exploited in these attacks. Upon further review, we are retracting our initial assessment regarding the likely use of Adobe vulnerabilities. There are currently no confirmed instances of a vulnerability in Adobe technologies being used in these attacks. We continue to investigate this issue."