Why Were Gmail Users Targeted in China Hack? (Updated)

More information is coming out about Chinese hackers who attacked American e-mail accounts, including those from Gmail and Yahoo. It seems that many personal accounts of American government officials were targeted. From the Guardian:

The attacks on the US government officials by China-based hackers targeted personal accounts, rather than trying to break into better-secured federal systems. Not only Google’s Gmail was targeted; Yahoo accounts are also known to have been among those hit. It is not known whether any accounts on Microsoft’s Hotmail system were hit.

It would be illegal for US government staff to use a personal email account for government work, partly because it would not fall under the Freedom of Information Act, which is meant to apply to all intra-government communication.

However, as Mila Parkour, the Washington-based IT specialist at the security specialists Contagio Malware Dump who first spotted this points out, the emails would have looked as though they were being forwarded, which would often mean being read “at home in a relaxed atmosphere, which helps to catch the victim off guard, especially if it appears to arrive from a frequent contact.” She adds that “some people have a habit of forwarding messages from enterprise accounts to their personal mail for saving or easy reading at home, which may potentially offer some sensitive information.”

The fact that the hackers knew the personal email accounts of the people they were targeting points to very extensive inside information that would take a remarkable amount of intelligence-gathering and research – and highlights questions over the motives of the hackers.

In reality, however, the Gmail attacks were not really a “hack” but rather a “phishing” attack, in which users were tricked into revealing their passwords. From Fast Company:

“Gmail Hack” was scattered across media headlines yesterday, inciting the rumor that Google’s popular email platform had been the victim of a cyber-attack. It wasn’t true. Google was not hacked, a company spokesman tells Fast Company. Some users were duped into supplying passwords to fraudulent emails masquerading as trustworthy sources (known as phishing)–a very common occurrence.

The first clue to the suspiciousness of the story should have been the fact that only “hundreds” of emails were hijacked. Phishing attacks are so exceedingly common that Gmail has a built in speed-dial button next to the “reply” option to alert Google to fraudulent attempt to attain passwords. Anyone who’s ever been sent a spam email by a friend or seen a sketchy Facebook post that links to a website completely unrelated to the link title has witnessed an account hack.

However, the fact that the attacks originated from China was news, especially given the nerve-racking announcement that the Pentagon will treat cyber-attacks as acts of war. Worrisome, since the Chinese government has, in the past, reportedly been the source of attacks against Google. The fallout, if it’s discovered that these most recent Gmail attacks originated from the Chinese military, will be far greater in scope than a few hundred people losing temporary access to their email.

There has been no direct link as of yet that these attacks were backed by the Chinese government, but investigations are ongoing and some fear it could escalate into cyber-warfare. From the Guardian:

While there is no direct evidence that the hackers were in the pay of the Chinese government, the sophistication of the attacks and their highly targeted nature eliminates direct financial gain as a motive. Google did not rule out the possibility of the attack being state-sponsored.

The action could seriously heighten tensions over the issue of cyberwar. The US government moved this week to classify cyber-attacks as “acts of war”, while the defence minister Nick Harvey said on Monday that “action in cyberspace will form part of the future battlefield”.

At an international cybersecurity conference being held in London this week, delegates warned that new cyber-attacks were being developed so quickly that there should be a nonproliferation treaty over their creation and use.

Michael Rake of BT Group warned world powers were being drawn into a hi-tech arms race, with many already able to fight a war without firing a single shot.

While the Chinese government has called Google’s claims a “fabrication,” Secretary of State Hillary Clinton has said that the FBI will investigate:

“We are obviously very concerned about Google’s announcement,” Mrs. Clinton said. “These allegations are very serious, we take them seriously, we’re looking into them.”

She referred reporters to Google for details, “and to the F.B.I., which will be conducting the investigation.”

Update: At the New York Times, VentureBeat’s Matt Marshall asks Google, What Exactly Is the China Connection for the Phishing Scare?

The truth is, we just don’t know why Google has focused on Jinan. But in light of the political sensitivity, it would be in Google’s interest to offer more details, if only to shield the company from criticism that it is playing hardball against China for political reasons, and suspicion that it hasn’t nailed down enough facts to back its assertion that this came from China.

Here’s what we know: Mila Parkour, the Washington-based IT specialist at the security specialists Contagio Malware Dump who first spotted the attacks three months ago, and wrote about it here, documented a series of attacks from various locations. These also included Korea and New York.

This has some other experts asking questions, including Mary Landesman, a respected senior security researcher at Cisco. I called her up to ask her point of view of the attacks, and she pointed out that the Contagio documentation alone is not enough to pinpoint Jinan as the source.

“The Jinan, China connection seems to be coming from fact that some phishing emails were sent through 163.com,” she says, “but if that’s evidence, then I think it’s worth questioning. That’s a funny email for cyber [activity].” The domain 163.com may be based in Jinan, but that doesn’t mean that’s where the attack really originated.

June 2, 2011 11:16 AM
Posted By:
Tags: ,