Researchers identify command servers behind Google attack - VeriSign iDefense researchers have identified the source of the recent cyber-assault against Google and have found the command-and-control servers that were used to orchestrate the attack.
VeriSign's iDefense security lab has published a report with technical details about the recent cyberattack that hit Google and over 30 other companies. The iDefense researchers traced the attack back to its origin and also identified the command-and-control servers that were used to manage the malware.
The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator.
Citing sources in the defense contracting and intelligence consulting community, the iDefense report unambiguously declares that the Chinese government was, in fact, behind the effort. The report also says that the malicious code was deployed in PDF files that were crafted to exploit a vulnerability in Adobe's software.
"The source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof," the report says.
The researchers have determined that there are significant similarities between the recent attack and a seemingly related one that was carried out in July against a large number of US companies. Both attacks were apparently managed through the same command-and-control servers.
"The servers used in both attacks employ the HomeLinux DynamicDNS provider, and both are currently pointing to IP addresses owned by Linode, a US-based company that offers Virtual Private Server hosting. The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other," the report says. "Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July."
If the report's findings are correct, it suggests that the government of China has been engaged for months in a massive campaign of industrial espionage against US companies.
Update: Adobe disputes iDefense's claim that PDFs were used to deploy the malware. In a statement issued today, Adobe says that they have found no evidence that their technology was used as an attack vector in this recent incident. This is supported by independent research conducted by security firm McAfee, which has found evidence that a vulnerability in Internet Explorer—but not Acrobat Reader—was exploited in the attack.
But China says:
Censors back on Google as China defends Internet actions
Beijing, China (CNN) -- The Chinese government was defending its Internet practices Thursday, even as censorship of Google results -- which had briefly been lifted -- appeared to return.
Chinese officials' assertion that China "works hard to encourage the healthy development and expansion of the Internet" came a day after Google said it may close its China-based site.
Foreign Ministry spokeswoman Jiang Yu spoke after Google announced that a "highly sophisticated and targeted attack" from China targeted it and the e-mail accounts of at least 20 others, evidently to gain access to the e-mail accounts of Chinese human rights activists.
The activists were in the United States, Europe and China, a Google spokesman said.
The attack resulted in the theft of intellectual property from Google, and attackers routinely gained access to the e-mail accounts of dozens of activists -- albeit not through the Google network, according to David Drummond, senior vice president of corporate development and chief legal officer for Google.
As a result of the attacks, Google has decided to stop the "self-censorship" of its Google site in China and may shut down its site and its offices in China, Drummond said.
Jiang said Google's claims "raised very serious concerns and questions."
"I stress that China's Internet is open," Jiang said during a news conference in Beijing. "The Chinese government works hard to encourage the healthy development and expansion of the Internet, and works to create a favorable environment for that. Chinese law prohibits cyber attacks, including hacking, and administers this according to the law."
Within hours of Google's announcement that it was no longer willing to self-censor in China, Google.cn was retrieving results for sensitive topics including the 1989 crackdown at Tiananmen Square, the Dalai Lama and the banned Falun Gong spiritual movement.
Previously, a search for "Tiananmen" would only return images of the square itself.
Pages appeared to fluctuate between uncensored and somewhat censored throughout Wednesday and, by Thursday, government censorship of Google seemed to have been restored, with terms such as "Tiananmen Square" returning limited results.
Jiang emphasized that China "welcomes international Internet enterprises to enter China according to the law."
In response to repeated questions from journalists about the hacking and cyber attacks, she said Chinese law forbids cyber attacks and hacking.
When asked if this law means that the Chinese government itself is forbidden to conduct cyber attacks, she had no comment.
Chinese newspapers have reacted to the flap on opinion and editorial pages. The state-run Global Times said Google's departure would create a "setback to China" and "serious loss to China's Net culture."
"[Google's] strategic loss would be greater than its business loss," the Global Times said.
A Shanghai Morning Post editorial said Google should not "abandon" China. The Beijing-based Economic Observer said the search engine's departure would "be a sad result of Chinese Internet users."
The Chinese government said through its Embassy in Washington Wednesday that it welcomes foreign Web-based enterprises and is working "to promote sound development of the Internet."
"The Internet in China is open," said Xi Yanchun, a Chinese embassy spokesman. "It is illegal to assault the Internet. China [welcomes] foreign Internet enterprises to do business legally in China."
Since Google started operating in China in 2006, thousands of search terms have been censored, Google officials acknowledge.
The recent "attacks and the surveillance they have uncovered ... have led us to conclude that we should review the feasibility of our business operations in China," Drummond wrote in a statement.
"We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.
"We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China," Drummond's statement reads.
If Google ends operations of its Google.cn Web site, it will still make Google.com available, a spokesman said.
Google, perhaps best known for its search engine, also provides other computer services, including e-mail, online mapping and social networking.
The cyber attacks detected last month included assaults on a wide range of businesses -- including the Internet, finance, technology, media and chemical sectors, Google said.
"We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities," Drummond said.
This is gettin' good, y'all. Another really good article that came out on this yesterday is here: Google and China: the attacks and their aftermath. The post was already getting long, so I didn't include it, but I recommend reading it, because it has info about why it was the hackers were able to just get e-mail subject lines and from addresses.
Also, I love the about-facing China is doing in the newspapers. First the papers like were all "Google won't leave China, they make too much money here so we're too important," and now they're going, "Wait, no, please don't go~!" when Google started talking severance packages with their Chinese staff and started looking like it was serious.