Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:12 PM
Connect Directly

Spear-Phishing Attacks Out Of China Targeted Source Code, Intellectual Property

Attackers used intelligence, custom malware to access Google, Adobe, and other U.S. companies' systems

The attack revelations came on the heels of a major Adobe patch release yesterday. According to Adobe, it first learned of the attacks on Jan. 2. "At this time, we have no evidence to indicate that any sensitive information -- including customer, financial, employee, or any other sensitive data -- has been compromised. We anticipate the full investigation will take quite some time to complete," said an Adobe blog posting late yesterday. "We have and will continue to use information gained from this attack to make infrastructure improvements to enhance security for Adobe, our customers, and our partners."

Richard Stiennon, chief research analyst for IT-Harvest, says the attacks sync with the typical modus operandi of Chinese espionage attacks that have been going on since 2001. "This is the same methodologies the GhostNet team used to infiltrate the Dali Lama's networks," Stiennon says. In that case, the servers were based in South Korea, and the attackers were traced to China, he says.

"Based on Google's post, they traced back the attack to the control server and from there, found that other companies had been infected," Stiennon says. What's unclear is just how Google got into that control server, however, he notes.

So how did the attackers gather their initial intelligence for the spear-phishing attacks? One theory is they merely did their own research via the public Web, which can be employed by anyone doing reconnaissance. Another theory is they could have had access to, or compromised, a high-level router that handles traffic to and from Google in China. "China owns the routers on which all traffic goes from outside to and from Google [there]," says one source. "They literally own those routers."

James Mulvenon, director of the Defense Group Inc.'s Center for Intelligence Research and Analysis and a specialist on China, says some reports indicate that the attacks may have been a combination of an inside job as well as outside hackers breaking into the companies.

Researchers at iDefense said the code used in attacks is different from that of the malware used in the attacks last July that targeted 100 IT companies, but the two have similar command-and-control (C&C) servers. Both C&C servers use the HomeLinux Dynamic DNS service and point to IP addresses owned by a U.S.-based server hosting vendor Linode, according to a research note issued by iDefense.

"The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other. Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July," iDefense said.

iDefense says the attack on Google, Adobe, and other companies dropped a backdoor Trojan in the form of a Windows DLL.

Meanwhile, the attacks have brought together industry and the U.S. federal government. Secretary of State Hillary Rodham Clinton said in a statement that she had been briefed by Google about the attacks. "We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation," Clinton said. "The ability to operate with confidence in cyberspace is critical in a modern society and economy. I will be giving an address next week on the centrality of Internet freedom in the 21st century, and we will have further comment on this matter as the facts become clear."

But getting to the actual people behind the attack is another story. By using a C&C architecture akin to how botnets work, the attackers have insulated themselves.

The key to breaking that cycle is cutting off the C&C server: Gunter Ollmann, vice president of research at Damballa, says the best way to stop this type of threat is to detect and break the "tether of control" in the C&C channel.

"By blocking those CnC channels, the bad guys can't remotely control your enterprise systems, and they can't extract the secret data they want," Ollmann blogged today. But the closest you can realistically get to the people behind the attacks is probably their country location, he said.

Meanwhile, security experts say the latest attacks are all about industrial espionage -- and everyone is at risk. "Whether or not it's an ad-hoc effort or coordinated by the government, China is looking for anything it can get. As they get more sophisticated, they are very interested in source code and ways to find new vulnerabilities in software companies' products," IT-Harvest's Stiennon says.

"My message to everybody is you are all under attack."

Robert Graham, CEO of Errata Security, says he doubts the Chinese government is directing the attacks themselves. "The way repressive governments work is by encouraging nationalistic groups, which do the dirty work for them," Graham says. "This is an asymmetric fight. Google's response is creative: They are forcing the government to take responsibility for its policies. Instead of the self-censorship Google has been doing, it's forcing them to show their hand by cracking down for real on an uncensored Google results."

The attacks demonstrate a shift, with the Chinese now brazenly going after U.S. industry interests. "They've gone from attacking the military and defense [such that] it benefited their state in national security to striking at the heart of the American technology economy," Defense Group Inc.'s Mulvenon says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-21
An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The faad_resetbits function in libfaad/bits.c is affected by a buffer overflow vulnerability. The number of bits to be read is determined by ld->buffer_size - words*4, cast to uint32. If ld->buffer_size - words*4 is ne...
PUBLISHED: 2019-08-21
An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.
PUBLISHED: 2019-08-21
An issue was discovered in ACDSee Photo Studio Standard 22.1 Build 1159. There is a User Mode Write AV starting at IDE_ACDStd!IEP_ShowPlugInDialog+0x000000000023d060.
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...