Spear-Phishing Attacks Out Of China Targeted Source Code, Intellectual Property

Attackers used intelligence, custom malware to access Google, Adobe, and other U.S. companies' systems
The attack revelations came on the heels of a major Adobe patch release yesterday. According to Adobe, it first learned of the attacks on Jan. 2. "At this time, we have no evidence to indicate that any sensitive information -- including customer, financial, employee, or any other sensitive data -- has been compromised. We anticipate the full investigation will take quite some time to complete," said an Adobe blog posting late yesterday. "We have and will continue to use information gained from this attack to make infrastructure improvements to enhance security for Adobe, our customers, and our partners."

Richard Stiennon, chief research analyst for IT-Harvest, says the attacks sync with the typical modus operandi of Chinese espionage attacks that have been going on since 2001. "This is the same methodologies the GhostNet team used to infiltrate the Dali Lama's networks," Stiennon says. In that case, the servers were based in South Korea, and the attackers were traced to China, he says.

"Based on Google's post, they traced back the attack to the control server and from there, found that other companies had been infected," Stiennon says. What's unclear is just how Google got into that control server, however, he notes.

So how did the attackers gather their initial intelligence for the spear-phishing attacks? One theory is they merely did their own research via the public Web, which can be employed by anyone doing reconnaissance. Another theory is they could have had access to, or compromised, a high-level router that handles traffic to and from Google in China. "China owns the routers on which all traffic goes from outside to and from Google [there]," says one source. "They literally own those routers."

James Mulvenon, director of the Defense Group Inc.'s Center for Intelligence Research and Analysis and a specialist on China, says some reports indicate that the attacks may have been a combination of an inside job as well as outside hackers breaking into the companies.

Researchers at iDefense said the code used in attacks is different from that of the malware used in the attacks last July that targeted 100 IT companies, but the two have similar command-and-control (C&C) servers. Both C&C servers use the HomeLinux Dynamic DNS service and point to IP addresses owned by a U.S.-based server hosting vendor Linode, according to a research note issued by iDefense.

"The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other. Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July," iDefense said.

iDefense says the attack on Google, Adobe, and other companies dropped a backdoor Trojan in the form of a Windows DLL.

Meanwhile, the attacks have brought together industry and the U.S. federal government. Secretary of State Hillary Rodham Clinton said in a statement that she had been briefed by Google about the attacks. "We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation," Clinton said. "The ability to operate with confidence in cyberspace is critical in a modern society and economy. I will be giving an address next week on the centrality of Internet freedom in the 21st century, and we will have further comment on this matter as the facts become clear."

But getting to the actual people behind the attack is another story. By using a C&C architecture akin to how botnets work, the attackers have insulated themselves.

The key to breaking that cycle is cutting off the C&C server: Gunter Ollmann, vice president of research at Damballa, says the best way to stop this type of threat is to detect and break the "tether of control" in the C&C channel.

"By blocking those CnC channels, the bad guys can't remotely control your enterprise systems, and they can't extract the secret data they want," Ollmann blogged today. But the closest you can realistically get to the people behind the attacks is probably their country location, he said.

Meanwhile, security experts say the latest attacks are all about industrial espionage -- and everyone is at risk. "Whether or not it's an ad-hoc effort or coordinated by the government, China is looking for anything it can get. As they get more sophisticated, they are very interested in source code and ways to find new vulnerabilities in software companies' products," IT-Harvest's Stiennon says.

"My message to everybody is you are all under attack."

Robert Graham, CEO of Errata Security, says he doubts the Chinese government is directing the attacks themselves. "The way repressive governments work is by encouraging nationalistic groups, which do the dirty work for them," Graham says. "This is an asymmetric fight. Google's response is creative: They are forcing the government to take responsibility for its policies. Instead of the self-censorship Google has been doing, it's forcing them to show their hand by cracking down for real on an uncensored Google results."

The attacks demonstrate a shift, with the Chinese now brazenly going after U.S. industry interests. "They've gone from attacking the military and defense [such that] it benefited their state in national security to striking at the heart of the American technology economy," Defense Group Inc.'s Mulvenon says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Robert Lemos, Contributing Writer, Dark Reading
Shikha Kothari, Senior Security Adviser, Eden Data