Researchers Identify Command Servers Behind Google Attack (Updated)

Ars Technica covers a report that links the cyber attacks perpetrated against Google and other foreign companies to the Chinese government:

VeriSign’s iDefense security lab has published a report with technical details about the recent cyberattack that hit Google and over 30 other companies. The iDefense researchers traced the attack back to its origin and also identified the command-and-control servers that were used to manage the malware.

The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator.

Citing sources in the defense contracting and intelligence consulting community, the iDefense report unambiguously declares that the Chinese government was, in fact, behind the effort. The report also says that the malicious code was deployed in PDF files that were crafted to exploit a vulnerability in Adobe’s software.

“The source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof,” the report says.

A report on CNet gives more details about how the attacks were likely perpetrated:

It is possible the attackers used “multiple exploits and multiple, tailor-made Trojans for different targets,” said Jellenc. “That is an extraordinary leap in sophistication from other targeted attack campaigns we’ve seen in the past,” he said.

It’s also likely that at least some of the attacks involved malicious PDF attachments containing code that exploits a hole in Adobe Reader, sources said.

Coincidentally, Adobe patched a so-called “zero-day hole” in Reader and Acrobat on Tuesday that was discovered in mid-December and had been exploited in attacks in the wild to deliver Trojan horse programs that install backdoor access on computers.

In such targeted attacks, an attacker typically sends an e-mail to a specific administrator or other worker inside a company, often masquerading as someone the recipient knows. If the recipient opens the attachment, the malware is dropped onto the target computer from where it can be remotely controlled to steal data, access sensitive parts of the network or even launch an attack on other computers.

Human rights lawyer Teng Biao reported on his blog and Twitter that his GMail account was tampered with and messages were automatically forwarded to another account that he did not control.

See also “Google attacks traced back to China, says US internet security firm” from the Guardian.

Update: See a detailed technical analysis of the attacks from Nart Villeneuve. Also, Google reportedly attempted to enlist the solidarity of fellow foreign corporations in China in speaking out against cyber attacks, but nobody agreed to come forward.