This post is my analysis of publicly information available on the attack against Google. I think that Google linked to my blog and the GhostNet report because of similarities in methods, not because the two cases are linked. This post combines my analysis of Google’s statement, media report and my experience with other attacks — that doesn’t mean that this is exactly what happened in the attack on Google.

There’s been a lot of chatter about how Google and 30+ other companies were compromised. Adobe has issued a statement saying that they too were compromised they still won’t say if attacks are in fact linked. Yahoo! stated that they were “aligned with Google” and it is now being reported that Yahoo! was among the other unnamed victims in the attack.

The timing of the compromise is interesting because it coincides with a 0day vulnerability in Adobe Reader. It has been suggested that this was the attack vector. The coincidence is interesting and I think that this claim is fairly credible.

UPDATE: McAfee reports that the compromise was an Internet Explorer 0day:

Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7. Still, so far the attacks we’ve seen using this vector have been focused on Internet Explorer 6. Microsoft has been working with us on this matter and we thank them for their collaboration. While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.

iDefense has stated that they were able to investigate these attack since some of their customers were also hit:

IDefense was called in to help some of the victim companies that Google had uncovered. According to Jellenc, the hackers sent targeted e-mail messages to victims that contained a malicious attachment containing what’s known as a zero-day attack. These attacks are typically not detected by antivirus vendors because they exploit a previously unknown software bug. “There is an attack exploiting a zero-day vulnerability in one of the major document types,” Jellenc said. “They infect whichever users they can, and leverage any contact information or any access information on the victim’s computer to misrepresent themselves as that victim.” The goal is to “infect someone with administrative access to the systems that hold the intellectual property that they’re trying to obtain,” he added.

The attack vector is very similar to GhostNet, but, it is a very common form of attack. Mikko Hypponen (who is awesome) told the BBC:

“This wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly. said Mikko Hypponen, of security firm F-Secure. “Most companies just never go public,” he added. “Human-rights activists are the biggest target,” said Mr Hypponen. “Everyone from Freedom for Tibet to Falun Gong supporters and those involved in Liberation of Taiwan are hit.”

I tend to agree. It is not the method of attack that is the story here, its the high profile of the victims and public disclosure by Google as well as Google decision to challenge China’s censorship that have made it so interesting. Really, we investigate these kind of attacks (usually on human rights activists) all the time.

In short, a user receives an email, possibly appearing to be from someone that they know who is a real person within his/her organization, with some text — sometimes specific, sometimes generic — that urges the user to open an attachment (or visit a web site) usually a PDF or Word Document (but other document types are also common). If the user open that attachment with a vulnerable version of Adobe Reader or Microsoft Office their computer will be compromised. The antivirus detection for these documents is usually relatively low and if the exploit is a 0day — an exploit for which there is no fox form the vendor available — the chances of compromise are very good.

After the user’s computer is compromised it “checks in” with a command and control server (C&C). These days it is most common for this check in to be an HTTP connection — it often looks like just another visit to a website — in which the compromised computer sends some information, usually an IP address and operating system etc… — and receives a command which it then executes. From there the attacker has full control of the system. The attacker can steal documents, email etc… force the compromised computer to download additional malware and use your infected computer as a mechanism to exploit your contacts or other computers on your network.

One of the things I like to track closely is the network infrastructure of the attackers — the location of their command and control servers as well as the mechanism of communication and other properties of the malware that allows for seemingly disparate attacks to be linked together. There has been some information published about the command and control servers used in the Google attack. James Mulvenon, who really knows his stuff, stated that the C&C’s were in Taiwan, the drop site for stolen stuff was on a US IP:

The attacks appear to have been launched from at least six Internet addresses located in Taiwan, which is a common strategy used by Chinese hackers to mask their origin, said James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc. a national-security firm. They also hijacked the Internet address of a San Antonio-based firm, Rackspace, which is one of the largest Internet-hosting companies in the U.S. They siphoned off the stolen data from Google and other companies to the San Antonio site before sending it overseas, Mr. Mulvenon said. A Rackspace official said, “A server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyber attack, fully cooperating with all affected parties.”

In addition, a dynamic DNS service was reportedly used:

iDefense obtained samples of the malicious code used in the July attack and the more recent one and found that although the malware was different in the two attacks, the programs both communicated with similar command-and-control servers. The servers each used the HomeLinux DynamicDNS to change their IP address, and both currently pointed to IP addresses belonging to a subset of addresses owned by Linode, a US-based company that offers Virtual Private Server hosting. “The IP addresses in question are . . . six IP addresses apart from each other,” iDefense said in its statement. “Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the [recent] Silicon Valley attacks have been compromised since July.”

UPDATE: Apparently one of the pieces of malware used was the Hydraq Trojan.

And what did the attackers steal? Google stated that there was “theft of intellectual property”, some suggest that the attackers stole source code:

But according to iDefense, whose customers include some of the 33 companies that were hacked, the attacks were well targeted and “unusually sophisticated” and aimed at grabbing source code from several hi-tech companies based in Silicon Valley as well as financial institutions and defense contractors.

However, Google stated that the”primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” and that the attack was partially successful:

Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Others state that Google’s internal intercept systems were attacked:

That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. “Right before Christmas, it was, ‘Holy s***, this malware is accessing the internal intercept [systems],'” he said.

Now some people have come forward, a Tibetan activist for example, saying that their email accounts had been breached.

Who is behind the attacks? Google didn’t really say who was behind the attacks . iDefense, who may be overreaching here, stated that it was the “Chinese state”:

“We confirmed with some clients and partners of ours in the defense contracting community that the IP addresses used to launch the attacks are known to be associated with previous attacks from groups that are either directly employed agents of the Chinese state or amateur hackers that are proxies for them that have attacked other U.S. companies in the past.”

In fact, attribution in these sorts of attacks is very difficult. Often people rely on the geolocation of an IP address — that’s not good enough. In these case the C&C’s were apparently in Taiwan and the drop site in the US. What does that tell us? Through piecing together seemingly disparate bits of information over time it is possible to make an educated guess. What makes the process difficult and tenuous is that the attackers might be quite different persons from those to ultimately exploit the data the attackers gather. It is the interpretation of the political dimensions of the attack that lead to a determination of who might ultimately have benefited the most form the attack, not technical evidence. Therefore there is room for a lot of uncertainty.