Spear-Phishing Attacks Out Of China Targeted Source Code, Intellectual Property
Attackers used intelligence, custom malware to access Google, Adobe, and other U.S. companies' systems
Kelly Jackson Higgins,
January 13, 2010
The wave of targeted attacks from China on Google, Adobe, and more than 20 other U.S. companies, which has led the search giant to consider closing its doors in China and no longer censor search results there, began with end users at the victim organizations getting duped by convincing spear-phishing messages with poisoned attachments.
Google and Adobe both revealed last night that they were hit by these attacks, which appear to be aimed mainly at stealing intellectual property, including source code from the victim companies, security experts say.
So far, the other victim companies have yet to come forward and say who they are, but some could go public later this week. Microsoft, for one, appears to be in the clear: "We have no indication that any of our mail properties have been compromised," a Microsoft spokesperson said in a statement issued today.
Google, meanwhile, first discovered in mid-December that it had been hit by a targeted attack out of China that resulted in the theft of some of its intellectual property. The attackers' primary goal was to access the Gmail accounts of Chinese human rights activists, according to Google: "Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves," said David Drummond, senior vice president of corporate development and chief legal officer at Google, in a blog post. Google discovered that at least 20 other large companies from the Internet, finance, technology, media, and chemical industries also had been hit by the attack, he said.
iDefense says the attacks were primarily going after source code from many of the victim firms, and that the attackers were working on behalf of or in the employment of officials for the Chinese government. "Two independent, anonymous iDefense sources in the defense contracting and intelligence consulting community confirmed that both the source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof," iDefense said in a summary it has issued on the attacks.
Eli Jellenc, head of international cyberintelligence for iDefense, which is working with some of the victim companies, says on average the attacks had been under way for nearly a month at those companies.
One source close to the investigation says this brand of targeted attack has actually been going on for about three years against U.S. companies and government agencies, involving some 10 different groups in China consisting of some 150,000 trained cyber-attackers.
The attacks on Google, Adobe, and others started with spear-phishing email messages with infected attachments, some PDFs, and some Office documents that lured users within the victim companies, including Google, to open what appeared to be documents from people they knew. The documents then ran code that infected their machines, and the attackers got remote access to those organizations via the infected systems.
Interestingly, the attackers used different malware payloads among the victims. "This is a pretty marked jump in sophistication," iDefense's Jellenc says. "That level of planning is unprecedented."
Mikko Hypponen, chief research officer at F-Secure, says a PDF file emailed to key people in the targeted companies started the attacks. "Once opened, the PDF exploited Adobe Reader with a zero-day vulnerability, which was patched today, and dropped a back-door [Trojan] that connected outbound from the infected machine back to the attackers," Hypponen says. That then gave the attackers full access to the infected machine as well as anywhere the user's machine went within his or her network, he says.
Other experts with knowledge of the attacks say it wasn't just PDFs, but Excel spreadsheets and other types of files employed as malicious attachments. The malware used in the attacks was custom-developed, they say, based on zero-day flaws, and investigators were able to match any "fingerprints" in the various versions of malware used in the attacks and determine that they were related.
The attackers didn't cast a wide spam net to get their victims like a typical botnet or spam campaign. Sources with knowledge of the attacks say the attackers instead started out with "good intelligence" that helped them gather the appropriate names and email addresses they used in the email attacks. "The state sponsorship may not be financial, but it is backed with intelligence," says one source. "What we're seeing is a blending of intelligence work plus malicious cyberattacks."
iDefense's Jellenc says the attackers were able to successfully steal valuable intellectual property from several of the victim companies.
The attack revelations came on the heels of a major Adobe patch release yesterday. According to Adobe, it first learned of the attacks on Jan. 2. "At this time, we have no evidence to indicate that any sensitive information -- including customer, financial, employee, or any other sensitive data -- has been compromised. We anticipate the full investigation will take quite some time to complete," said an Adobe blog posting late yesterday. "We have and will continue to use information gained from this attack to make infrastructure improvements to enhance security for Adobe, our customers, and our partners."
Richard Stiennon, chief research analyst for IT-Harvest, says the attacks sync with the typical modus operandi of Chinese espionage attacks that have been going on since 2001. "This is the same methodologies the GhostNet team used to infiltrate the Dali Lama's networks," Stiennon says. In that case, the servers were based in South Korea, and the attackers were traced to China, he says.
"Based on Google's post, they traced back the attack to the control server and from there, found that other companies had been infected," Stiennon says. What's unclear is just how Google got into that control server, however, he notes.
So how did the attackers gather their initial intelligence for the spear-phishing attacks? One theory is they merely did their own research via the public Web, which can be employed by anyone doing reconnaissance. Another theory is they could have had access to, or compromised, a high-level router that handles traffic to and from Google in China. "China owns the routers on which all traffic goes from outside to and from Google [there]," says one source. "They literally own those routers."
James Mulvenon, director of the Defense Group Inc.'s Center for Intelligence Research and Analysis and a specialist on China, says some reports indicate that the attacks may have been a combination of an inside job as well as outside hackers breaking into the companies.
Researchers at iDefense said the code used in attacks is different from that of the malware used in the attacks last July that targeted 100 IT companies, but the two have similar command-and-control (C&C) servers. Both C&C servers use the HomeLinux Dynamic DNS service and point to IP addresses owned by a U.S.-based server hosting vendor Linode, according to a research note issued by iDefense.
"The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other. Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July," iDefense said.
iDefense says the attack on Google, Adobe, and other companies dropped a backdoor Trojan in the form of a Windows DLL.
Meanwhile, the attacks have brought together industry and the U.S. federal government. Secretary of State Hillary Rodham Clinton said in a statement that she had been briefed by Google about the attacks. "We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation," Clinton said. "The ability to operate with confidence in cyberspace is critical in a modern society and economy. I will be giving an address next week on the centrality of Internet freedom in the 21st century, and we will have further comment on this matter as the facts become clear."
But getting to the actual people behind the attack is another story. By using a C&C architecture akin to how botnets work, the attackers have insulated themselves.
The key to breaking that cycle is cutting off the C&C server: Gunter Ollmann, vice president of research at Damballa, says the best way to stop this type of threat is to detect and break the "tether of control" in the C&C channel.
"By blocking those CnC channels, the bad guys can't remotely control your enterprise systems, and they can't extract the secret data they want," Ollmann blogged today. But the closest you can realistically get to the people behind the attacks is probably their country location, he said.
Meanwhile, security experts say the latest attacks are all about industrial espionage -- and everyone is at risk. "Whether or not it's an ad-hoc effort or coordinated by the government, China is looking for anything it can get. As they get more sophisticated, they are very interested in source code and ways to find new vulnerabilities in software companies' products," IT-Harvest's Stiennon says.
"My message to everybody is you are all under attack."
Robert Graham, CEO of Errata Security, says he doubts the Chinese government is directing the attacks themselves. "The way repressive governments work is by encouraging nationalistic groups, which do the dirty work for them," Graham says. "This is an asymmetric fight. Google's response is creative: They are forcing the government to take responsibility for its policies. Instead of the self-censorship Google has been doing, it's forcing them to show their hand by cracking down for real on an uncensored Google results."
The attacks demonstrate a shift, with the Chinese now brazenly going after U.S. industry interests. "They've gone from attacking the military and defense [such that] it benefited their state in national security to striking at the heart of the American technology economy," Defense Group Inc.'s Mulvenon says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.