Attacks/Breaches
1/15/2010
01:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Spear-Phishing Attacks Out Of China Targeted Source Code, Intellectual Property

Attackers used intelligence, custom malware to access Google, Adobe, and other U.S. companies' systems.

The wave of targeted attacks from China on Google, Adobe, and more than 20 other U.S. companies, which has led the search giant to consider closing its doors in China and no longer censor search results there, began with end users at the victim organizations getting duped by convincing spear-phishing messages with poisoned attachments.

Google and Adobe both revealed last night that they were hit by these attacks, which appear to be aimed mainly at stealing intellectual property, including source code from the victim companies, security experts say.

So far, the other victim companies have yet to come forward and say who they are, but some could go public later this week. Microsoft, for one, appears to be in the clear: "We have no indication that any of our mail properties have been compromised," a Microsoft spokesperson said in a statement issued today.

Google, meanwhile, first discovered in mid-December that it had been hit by a targeted attack out of China that resulted in the theft of some of its intellectual property. The attackers' primary goal was to access the Gmail accounts of Chinese human rights activists, according to Google: "Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves," said David Drummond, senior vice president of corporate development and chief legal officer at Google, in a blog post. Google discovered that at least 20 other large companies from the Internet, finance, technology, media, and chemical industries also had been hit by the attack, he said.

iDefense says the attacks were primarily going after source code from many of the victim firms, and that the attackers were working on behalf of or in the employment of officials for the Chinese government. "Two independent, anonymous iDefense sources in the defense contracting and intelligence consulting community confirmed that both the source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof," iDefense said in a summary it has issued on the attacks.

Eli Jellenc, head of international cyberintelligence for iDefense, which is working with some of the victim companies, says on average the attacks had been under way for nearly a month at those companies.

One source close to the investigation says this brand of targeted attack has actually been going on for about three years against U.S. companies and government agencies, involving some 10 different groups in China consisting of some 150,000 trained cyber-attackers.

The attacks on Google, Adobe, and others started with spear-phishing email messages with infected attachments, some PDFs, and some Office documents that lured users within the victim companies, including Google, to open what appeared to be documents from people they knew. The documents then ran code that infected their machines, and the attackers got remote access to those organizations via the infected systems.

Interestingly, the attackers used different malware payloads among the victims. "This is a pretty marked jump in sophistication," iDefense's Jellenc says. "That level of planning is unprecedented."

Mikko Hypponen, chief research officer at F-Secure, says a PDF file emailed to key people in the targeted companies started the attacks. "Once opened, the PDF exploited Adobe Reader with a zero-day vulnerability, which was patched today, and dropped a back-door [Trojan] that connected outbound from the infected machine back to the attackers," Hypponen says. That then gave the attackers full access to the infected machine as well as anywhere the user's machine went within his or her network, he says.

Other experts with knowledge of the attacks say it wasn't just PDFs, but Excel spreadsheets and other types of files employed as malicious attachments. The malware used in the attacks was custom-developed, they say, based on zero-day flaws, and investigators were able to match any "fingerprints" in the various versions of malware used in the attacks and determine that they were related.

The attackers didn't cast a wide spam net to get their victims like a typical botnet or spam campaign. Sources with knowledge of the attacks say the attackers instead started out with "good intelligence" that helped them gather the appropriate names and email addresses they used in the email attacks. "The state sponsorship may not be financial, but it is backed with intelligence," says one source. "What we're seeing is a blending of intelligence work plus malicious cyberattacks."

iDefense's Jellenc says the attackers were able to successfully steal valuable intellectual property from several of the victim companies.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web