Attacks/Breaches
1/15/2010
01:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Spear-Phishing Attacks Out Of China Targeted Source Code, Intellectual Property

Attackers used intelligence, custom malware to access Google, Adobe, and other U.S. companies' systems.

The wave of targeted attacks from China on Google, Adobe, and more than 20 other U.S. companies, which has led the search giant to consider closing its doors in China and no longer censor search results there, began with end users at the victim organizations getting duped by convincing spear-phishing messages with poisoned attachments.

Google and Adobe both revealed last night that they were hit by these attacks, which appear to be aimed mainly at stealing intellectual property, including source code from the victim companies, security experts say.

So far, the other victim companies have yet to come forward and say who they are, but some could go public later this week. Microsoft, for one, appears to be in the clear: "We have no indication that any of our mail properties have been compromised," a Microsoft spokesperson said in a statement issued today.

Google, meanwhile, first discovered in mid-December that it had been hit by a targeted attack out of China that resulted in the theft of some of its intellectual property. The attackers' primary goal was to access the Gmail accounts of Chinese human rights activists, according to Google: "Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves," said David Drummond, senior vice president of corporate development and chief legal officer at Google, in a blog post. Google discovered that at least 20 other large companies from the Internet, finance, technology, media, and chemical industries also had been hit by the attack, he said.

iDefense says the attacks were primarily going after source code from many of the victim firms, and that the attackers were working on behalf of or in the employment of officials for the Chinese government. "Two independent, anonymous iDefense sources in the defense contracting and intelligence consulting community confirmed that both the source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof," iDefense said in a summary it has issued on the attacks.

Eli Jellenc, head of international cyberintelligence for iDefense, which is working with some of the victim companies, says on average the attacks had been under way for nearly a month at those companies.

One source close to the investigation says this brand of targeted attack has actually been going on for about three years against U.S. companies and government agencies, involving some 10 different groups in China consisting of some 150,000 trained cyber-attackers.

The attacks on Google, Adobe, and others started with spear-phishing email messages with infected attachments, some PDFs, and some Office documents that lured users within the victim companies, including Google, to open what appeared to be documents from people they knew. The documents then ran code that infected their machines, and the attackers got remote access to those organizations via the infected systems.

Interestingly, the attackers used different malware payloads among the victims. "This is a pretty marked jump in sophistication," iDefense's Jellenc says. "That level of planning is unprecedented."

Mikko Hypponen, chief research officer at F-Secure, says a PDF file emailed to key people in the targeted companies started the attacks. "Once opened, the PDF exploited Adobe Reader with a zero-day vulnerability, which was patched today, and dropped a back-door [Trojan] that connected outbound from the infected machine back to the attackers," Hypponen says. That then gave the attackers full access to the infected machine as well as anywhere the user's machine went within his or her network, he says.

Other experts with knowledge of the attacks say it wasn't just PDFs, but Excel spreadsheets and other types of files employed as malicious attachments. The malware used in the attacks was custom-developed, they say, based on zero-day flaws, and investigators were able to match any "fingerprints" in the various versions of malware used in the attacks and determine that they were related.

The attackers didn't cast a wide spam net to get their victims like a typical botnet or spam campaign. Sources with knowledge of the attacks say the attackers instead started out with "good intelligence" that helped them gather the appropriate names and email addresses they used in the email attacks. "The state sponsorship may not be financial, but it is backed with intelligence," says one source. "What we're seeing is a blending of intelligence work plus malicious cyberattacks."

iDefense's Jellenc says the attackers were able to successfully steal valuable intellectual property from several of the victim companies.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.