Attacks/Breaches
1/15/2010
01:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Spear-Phishing Attacks Out Of China Targeted Source Code, Intellectual Property

Attackers used intelligence, custom malware to access Google, Adobe, and other U.S. companies' systems.

The wave of targeted attacks from China on Google, Adobe, and more than 20 other U.S. companies, which has led the search giant to consider closing its doors in China and no longer censor search results there, began with end users at the victim organizations getting duped by convincing spear-phishing messages with poisoned attachments.

Google and Adobe both revealed last night that they were hit by these attacks, which appear to be aimed mainly at stealing intellectual property, including source code from the victim companies, security experts say.

So far, the other victim companies have yet to come forward and say who they are, but some could go public later this week. Microsoft, for one, appears to be in the clear: "We have no indication that any of our mail properties have been compromised," a Microsoft spokesperson said in a statement issued today.

Google, meanwhile, first discovered in mid-December that it had been hit by a targeted attack out of China that resulted in the theft of some of its intellectual property. The attackers' primary goal was to access the Gmail accounts of Chinese human rights activists, according to Google: "Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves," said David Drummond, senior vice president of corporate development and chief legal officer at Google, in a blog post. Google discovered that at least 20 other large companies from the Internet, finance, technology, media, and chemical industries also had been hit by the attack, he said.

iDefense says the attacks were primarily going after source code from many of the victim firms, and that the attackers were working on behalf of or in the employment of officials for the Chinese government. "Two independent, anonymous iDefense sources in the defense contracting and intelligence consulting community confirmed that both the source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof," iDefense said in a summary it has issued on the attacks.

Eli Jellenc, head of international cyberintelligence for iDefense, which is working with some of the victim companies, says on average the attacks had been under way for nearly a month at those companies.

One source close to the investigation says this brand of targeted attack has actually been going on for about three years against U.S. companies and government agencies, involving some 10 different groups in China consisting of some 150,000 trained cyber-attackers.

The attacks on Google, Adobe, and others started with spear-phishing email messages with infected attachments, some PDFs, and some Office documents that lured users within the victim companies, including Google, to open what appeared to be documents from people they knew. The documents then ran code that infected their machines, and the attackers got remote access to those organizations via the infected systems.

Interestingly, the attackers used different malware payloads among the victims. "This is a pretty marked jump in sophistication," iDefense's Jellenc says. "That level of planning is unprecedented."

Mikko Hypponen, chief research officer at F-Secure, says a PDF file emailed to key people in the targeted companies started the attacks. "Once opened, the PDF exploited Adobe Reader with a zero-day vulnerability, which was patched today, and dropped a back-door [Trojan] that connected outbound from the infected machine back to the attackers," Hypponen says. That then gave the attackers full access to the infected machine as well as anywhere the user's machine went within his or her network, he says.

Other experts with knowledge of the attacks say it wasn't just PDFs, but Excel spreadsheets and other types of files employed as malicious attachments. The malware used in the attacks was custom-developed, they say, based on zero-day flaws, and investigators were able to match any "fingerprints" in the various versions of malware used in the attacks and determine that they were related.

The attackers didn't cast a wide spam net to get their victims like a typical botnet or spam campaign. Sources with knowledge of the attacks say the attackers instead started out with "good intelligence" that helped them gather the appropriate names and email addresses they used in the email attacks. "The state sponsorship may not be financial, but it is backed with intelligence," says one source. "What we're seeing is a blending of intelligence work plus malicious cyberattacks."

iDefense's Jellenc says the attackers were able to successfully steal valuable intellectual property from several of the victim companies.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report