06:11 PM
Connect Directly

New Details On Targeted Attacks On Google, Others, Trickle Out

Meanwhile, Microsoft releases emergency patch for IE exploit used in the attacks

New details about the targeted attacks against Google and other U.S. companies that resulted in the theft of source code and other intellectual property emerged today, while Microsoft released an emergency patch for a flaw in Internet Explorer that was exploited in those attacks.

Chenxi Wang, principal analyst for security and risk management at Forrester Research, says Google last week instituted an emergency update to its corporate VPN, raising questions about whether the network was in some way compromised in the attacks. But, she says, Google disputed her initial analysis that the attackers gained access to Google's server via its corporate VPN.

"This is the first we've heard about the VPN involvement at Google. I'm not sure this definitely qualifies as a VPN breach because we don't know what the attacker did to the VPN system -- it's possible that the attacker used the user credentials to log in through the VPN without doing anything illegal to the VPN. Or it is possible that the attacker did attack the VPN system. But Google won't say one way or another," Wang says.

A Google spokesperson declined to comment on Wang's findings.

What has been made public about the attack on Google and others is that the attackers employed social engineering via phishing emails with infected links to lure their victims. The links contained an exploit attacking Internet Explorer 6 that dropped a Trojan onto the victim's machine and then allowed the attacker to take control of the victim's machine. The exploit abuses a zero-day vulnerability that is found in all versions of Internet Explorer, but so far has mostly been going after IE 6 machines in the wild now that the exploit code was released publicly.

A malware researcher, meanwhile, has traced the code used in the exploit to Chinese-language authors. While reverse-engineering a sample of the malware used in the attacks, Joe Stewart, director of malware research at Secureworks, discovered some modules in the code have timestamps dating back to May 2006, so the so-called Aurora malware -- a.k.a. the Hydraq Trojan -- was in the works for some time, he says. He says he also found evidence that the code has Chinese origins: It uses a unique implementation of the cyclic redundancy check (CRC) algorithm that is associated with Chinese-language Websites.

Most of the details that have emerged about how the attackers gained access to Google's network and intellectual property have focused mainly on the IE exploit, but security experts say several other exploits were involved in the widespread targeted attacks.

Forrester's Wang, meanwhile, says she believes the "emergency update" to Google's VPN infrastructure was somehow a result of the attack. Wang first raised the possibility that Google's VPN was used to access its server in the attack in a blog post today -- which she has since updated twice after Google first confirmed and then disputed it.

Whether the VPN update was a precautionary measure by Google or purely coincidental is unclear as well.

Still baffling to experts is why a Google user or users would be running the older and less secure version 6 of Microsoft's browser. Security experts have suggested that either some nontechnical Google employees just hadn't bothered to upgrade their browsers, or that the attack could have targeted a Google employee working from his home machine running IE 6.

Wang says Google told her it was possible someone was running IE 6 internally for "testing purposes." That didn't add up for Wang, however: "I can buy that you might be running an older version of a browser for testing purposes (for backward compatibility), but why wasn't the testing environment isolated from production and from access to critical assets? Isn't that one of the first things you do in setting up a test environment?" she wrote in her blog post.

Whatever the reason for the old IE 6 browser, Wang says Google's breach should serve as a cautionary tale for other enterprises. "IT should make sure everyone is running the latest browsers with the latest patches and latest OS -- everything -- and [a] test environment should be entirely separate from the production environment," she says.

Al Huger, vice president of engineering at Immunet, says the attack on Google raises legitimate worries for other companies. "People I've spoken to say if Google, with arguably the brightest security guys in the industry, can get broken into in the heartland of Silicon Valley and have source code stolen, how secure is anybody else?"

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-17
Amazon Fire OS before allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.
PUBLISHED: 2019-02-17
An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead.
PUBLISHED: 2019-02-17
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
PUBLISHED: 2019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
PUBLISHED: 2019-02-17
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) ...