Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:12 PM
Connect Directly

Spear-Phishing Attacks Out Of China Targeted Source Code, Intellectual Property

Attackers used intelligence, custom malware to access Google, Adobe, and other U.S. companies' systems

The attack revelations came on the heels of a major Adobe patch release yesterday. According to Adobe, it first learned of the attacks on Jan. 2. "At this time, we have no evidence to indicate that any sensitive information -- including customer, financial, employee, or any other sensitive data -- has been compromised. We anticipate the full investigation will take quite some time to complete," said an Adobe blog posting late yesterday. "We have and will continue to use information gained from this attack to make infrastructure improvements to enhance security for Adobe, our customers, and our partners."

Richard Stiennon, chief research analyst for IT-Harvest, says the attacks sync with the typical modus operandi of Chinese espionage attacks that have been going on since 2001. "This is the same methodologies the GhostNet team used to infiltrate the Dali Lama's networks," Stiennon says. In that case, the servers were based in South Korea, and the attackers were traced to China, he says.

"Based on Google's post, they traced back the attack to the control server and from there, found that other companies had been infected," Stiennon says. What's unclear is just how Google got into that control server, however, he notes.

So how did the attackers gather their initial intelligence for the spear-phishing attacks? One theory is they merely did their own research via the public Web, which can be employed by anyone doing reconnaissance. Another theory is they could have had access to, or compromised, a high-level router that handles traffic to and from Google in China. "China owns the routers on which all traffic goes from outside to and from Google [there]," says one source. "They literally own those routers."

James Mulvenon, director of the Defense Group Inc.'s Center for Intelligence Research and Analysis and a specialist on China, says some reports indicate that the attacks may have been a combination of an inside job as well as outside hackers breaking into the companies.

Researchers at iDefense said the code used in attacks is different from that of the malware used in the attacks last July that targeted 100 IT companies, but the two have similar command-and-control (C&C) servers. Both C&C servers use the HomeLinux Dynamic DNS service and point to IP addresses owned by a U.S.-based server hosting vendor Linode, according to a research note issued by iDefense.

"The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other. Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July," iDefense said.

iDefense says the attack on Google, Adobe, and other companies dropped a backdoor Trojan in the form of a Windows DLL.

Meanwhile, the attacks have brought together industry and the U.S. federal government. Secretary of State Hillary Rodham Clinton said in a statement that she had been briefed by Google about the attacks. "We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation," Clinton said. "The ability to operate with confidence in cyberspace is critical in a modern society and economy. I will be giving an address next week on the centrality of Internet freedom in the 21st century, and we will have further comment on this matter as the facts become clear."

But getting to the actual people behind the attack is another story. By using a C&C architecture akin to how botnets work, the attackers have insulated themselves.

The key to breaking that cycle is cutting off the C&C server: Gunter Ollmann, vice president of research at Damballa, says the best way to stop this type of threat is to detect and break the "tether of control" in the C&C channel.

"By blocking those CnC channels, the bad guys can't remotely control your enterprise systems, and they can't extract the secret data they want," Ollmann blogged today. But the closest you can realistically get to the people behind the attacks is probably their country location, he said.

Meanwhile, security experts say the latest attacks are all about industrial espionage -- and everyone is at risk. "Whether or not it's an ad-hoc effort or coordinated by the government, China is looking for anything it can get. As they get more sophisticated, they are very interested in source code and ways to find new vulnerabilities in software companies' products," IT-Harvest's Stiennon says.

"My message to everybody is you are all under attack."

Robert Graham, CEO of Errata Security, says he doubts the Chinese government is directing the attacks themselves. "The way repressive governments work is by encouraging nationalistic groups, which do the dirty work for them," Graham says. "This is an asymmetric fight. Google's response is creative: They are forcing the government to take responsibility for its policies. Instead of the self-censorship Google has been doing, it's forcing them to show their hand by cracking down for real on an uncensored Google results."

The attacks demonstrate a shift, with the Chinese now brazenly going after U.S. industry interests. "They've gone from attacking the military and defense [such that] it benefited their state in national security to striking at the heart of the American technology economy," Defense Group Inc.'s Mulvenon says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the fir...
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...