With more details emerging on the inner workings of the targeted malware attack that hit Google and over 30 other companies (ZDNet News Special Coverage –
Special Report: Google, China showdown), it’s time to summarize all the events that took place during the past week, and answer some of the most frequently asked questions such as – How did the attack take place? Did Google strike back at the attackers? Was the Chinese government behind the attacks, and if not who orchestrated them and for what reason? Go through the FAQ and their answers.
Q: Which companies were affected in the targeted malware attacks?
According to the initial post confirming the targeted malware attacks, Google stated that “at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted.” On the same day, actual details on who’s been targeted started to emerge, prompted by Google’s decision t o go public with the incident at the first place, with Adobe being the first company to confirm the “corporate network security issue“, later on denying the initial allegations that the attacks took place through a zero day flaw in Adobe’s Reader. According to public reports, the number of affected companies increased to 34, including Yahoo, Symantec, Northrop Grumman and Dow Chemical. Of those, only Yahoo, Juniper Networks and Symantec provided details that they’re currently investigation possible security incidents without actually confirming that their networks may have been successfully compromised in the attacks. A day after Google’s announcement of the incident, the law firm Gipson, Hoffman and Pancione which represents CYBERsitter in a $2.2 billion lawsuit against China for pirating source code and using in Green Dam, a content filtering / censorship program, reported that “it has suffered cyber attacks originating from China“.
Q: How did the attack take place?
Through a combination of spear-phishing (targeted attack), and a zero day flaw (CVE-2010-0249) affecting Microsoft’s Internet Explorer (see which versions and which platforms are affected). Microsoft is currently working on emergency patch, given the fact that the exploit code used in the attack is now publicly available, with the governments of Germany and France urging users to stop using Internet Explorer. Not only did the targeted malware attack managed to bypass the malware/spam filters of the organizations (Phishing experiment sneaks through all anti-spam filters; New study details the dynamics of successful phishing), but also, managed to successfully exploit hosts within the working environment which allowed the attackers to steal intellectual property from Google. Upon the successful exploitation of these hosts, the attackers relied on the Hydraq trojan in order to facilitate the theft of intellectual property (Trojan.Hydraq Exposed; Trojan.Hydraq – Part II), and continue maintaining access to the affected hosts.
Q: Were the attacks indeed one of the “most sophisticated” ever seen as claimed by certain security vendors?
In order to say that something is “most sophisticated”, you’d first have to compare it with a related incident/piece of malware. The Google incident is often cited as “ultra sophisticated” due to the quality of the malware code, and the successful “segmentation of the attack population” or the practice if finding the names and emails of prospective victims to be targeted within a particular enterprise. However, no matter how sophisticated the code, compared to Conficker, this incident is basically a targeted malware attack exploiting a zero day flaw that ultimately drops a coded from scratch piece of malware. Malware code sophistication shouldn’t be a criteria for a state-sponsored operation due to the availability of “malware coding for hire” services allowing potential customers to have their own sophisticated piece of malware, coded by the very same malware authors whose creations fuel the growth of today’s crimeware epidemic.
Moreover, the concept of using zero days for targeted attacks is nothing new. Similar targeted attack relying on MS Word zero day against U.S Department of State computers took place in 2007.
So are there are key differentiation factors left? It’s the question how did they manage to obtain the emails used in the targeted attacks of so many companies. And with no company offering additional insights on the nature of the campaign structure used, for instance were the attackers relying on “event-based social engineering” tactic, we can only speculate on the ease or sophistication when tricking employees into clicking on the links. There are numerous ways in which the attackers obtained the emails, including internal ones which are not publicly available. One of these practices is called OSINT (open source intelligence) through botnets, a concept that’s been around since the first time botnets were perceived as a tool for conducting espionage.
With the ability to geolocate the physical location or network location of the entire botnet, a botnet master can easily filter the availability of infected hosts within a particular company’s netblock, country, even city, and from there can data mine and engage in hit list building for future targeted malware attacks. In 2007, Support Intelligence’s “30 Days of Bots” experiment successfully located malware -infected hosts within the networks of Fortune 1000 companies, with these compromises making it possible to collect internal emails, map the network structure etc.