Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Closing in on the Google hackers

Closing in on the Google hackers

  • Comments 9

Joseph Menn has an article on CNN.com wherein the crux of the story is that US experts are closing in on the hackers that broke into Google last month.  It is believed by some that the Chinese government sponsored these hackers.  China, naturally, denied involvement.  My own take is that tools today are sophisticated enough such that you don’t necessarily need state sponsorship in order to launch a cyber attack.  Here is an excerpt:

U.S. analysts believe they have identified the Chinese author of the critical programming code used in the alleged state-sponsored hacking attacks on Google and other western companies, making it far harder for the Chinese government to deny involvement.

Their discovery came after another team of investigators tracked the launch of the spyware to computers inside two educational institutions in China, one of them with close ties to the military.

A freelance security consultant in his 30s wrote the part of the program that used a previously unknown security hole in the Internet Explorer web browser to break into computers and insert the spyware, a researcher working for the U.S. government told the Financial Times. Chinese officials had special access to the work of the author, who posted pieces of the program to a hacking forum and described it as something he was "working on".

In other words, a hobbyist programmer with a lot of time on his hands, and a lot of knowledge in his head, was working on something where he was looking to break Microsoft’s Internet Explorer web browser. 

Continuing onward:

Beyond the immediate forensic inquiry, the work of U.S. researchers sheds light on how cyber-operations are conducted in China.

The man who wrote code to take advantage of the browser flaw is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts, according to the U.S. team that discovered his role.

This is similar to the Estonian cyber attacks in 2007.  Back then, the Estonian government accused the Russian government of instigating the attacks, and the Russian government denied involvement.  As it turned out, an aide to a Russian state Duma representative did claim responsibility but specifically denied it as an act of the Russian government.  It appears that he was angry at the Estonian government for taking down a war monument and in response, launched a cyber riot.  Similarly in 2008, hackers launched a DOS attack on the Georgian government.  Like Estonia before it, this appears to have been a case of a group of nationalist people getting together, pooling their criminal resources and launching an attack at an enemy using cyber warfare.

In this case, the author of the code doesn’t work for the Chinese government, and neither did the Estonian or Georgian attackers.  This code writer wouldn’t even want his work to be used in cyber attacks, but that cat is out of the bag now.  Just like Alfred Nobel regretted his decision to invent dynamite, this guy can’t take back what he was wrought.  If you are looking for security exploits in a browser to do nefarious things, someone can take your code and use it in ways that you didn’t expect.

Continuing onwards:

"If he wants to do the research he's good at, he has to toe the line now and again," the U.S. analyst said. "He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing. The state has privileged access to these researchers' work."

It’s unclear if the Chinese government was peering over his shoulder and stealing his code, or if someone in the middle stole it and delivered it to the Chinese government, or even if the Chinese government was even involved.

Continuing, we start to get some light shed on this situation:

A separate team of U.S. contractors has traced the launch of the spyware to computers at Shanghai Jiaotong University and Lanxiang Vocational School, according to two people familiar with that inquiry.

Jiaotong University has one of the best security departments in the country, U.S. analysts said, with former government cyber commanders in residence. The state-run Xinhua news agency said officials at both schools denied involvement. In theory, outsiders could have compromised both schools' machines before using them to collect data from the Western companies.

But US analysts said at least Jiaotong University's networks are closely monitored, making them an odd choice for an independent attacker seeking to avoid detection. In addition, "Our investigation shows the hosts that did the attacks were not compromised that we could tell", said an analyst involved in that probe.

In my experience, universities are breeding grounds for compromised servers.  Not a week goes by when we don’t have at least one incident where somebody has been phished and then the account starts spewing out piles of outbound spam.  And this goes on all the time.  So, the fact that the spyware was launched from a university should come as no surprise.  If you’ll allow me to craft a theory, it would go something like this:

Students like to play a lot of online role playing games like World of Warcraft.  One of the most common worms today is the Taterf worm, which steals passwords to MMORPG games like WoW.  This worm is spread via thumb drives and misconfigured network drives.  Perhaps some students in China were playing games, somebody spread around some malware (inadvertently) and installed a password stealer, or a code stealer.  The Chinese have lots of pirated software and don’t have the best security practices.  China + universities = recipe for disaster.

Meanwhile, a security consultant (read: PhD student who knows tons and tons about security and was working on it for his thesis) has caught the eye of the Chinese government, or someone else who wants to steal secrets from Google.  This grad student likes to relax and play video games every once in a while, and if you have ever been to China, you know that males between the ages of 18-29 are forever found in Internet cafes playing MMORPGs.  Maybe his network gets compromised, maybe his computer gets infected with malware, but somehow or another, his system gets hacked and his code is stolen.

Or maybe it isn’t stolen.  Maybe he is experimenting one day and one of the side effects is that his worm gets out of control (like a bad movie) and steals Google credentials.  Or maybe he works for Baidu (or perhaps they are funding his research) and they steal the code and use it against Google. 

Note the phrase that “Jiaotong’s network’s are closely monitored” and “the hosts did not appear compromised.”  That would indicate that whoever stole the information did so willingly and there was not malware installed on the networks.  It would have to be a deliberate act.

Or would it?  Many people who are infected wouldn’t necessarily know it or recognize it.  The fact is we don’t really know enough to determine if this was a conspiracy or not.  What it sounds like is that some guy wrote some software that exploits a security flaw and this was used by someone with malicious intent.  Was it the Chinese government?  Was it private enterprise?  Or was it some students using it to see if they could do it?  I don’t know enough about the details of the case, but neither would surprise me.

Leave a Comment
  • Please add 6 and 8 and type the answer here:
  • Post
  • Nice article.

    I observed that you are praising this Chinese guy throughout the article for his extra-ordinary coding skills. Google should consider this a programming test of a programmer and hire that Chinese guy who has defeated the complete Google team in this code challenge.

    This would be the best option to Google.

  • This article is nothing but a joke.

    Yet once again some Americans talking like they have a cooking clue what is going on in China. (and in my many years living in China I learned to argue with one of them is like arguing a Christian out of his religion).

  • "Was it the Chinese government?  Was it private enterprise?  Or was it some students using it to see if they could do it?  I don’t know enough about the details of the case, but neither would surprise me."

    You listed three possibilities, then said, "neither." How can I take the rest of your article seriously?

  • I agree with Krokonoster,

    I worked with a Chinese immigrant and can agree arguing with them about common sense items does not go very well. Its like putting reason in front of them they can't think that way.  

  • If there is a flaw in the logic of this article, it is in not addressing that the attack was targeted to specific individuals (or traits). The article is a good explanation for "in the wild" type events but this was not a general release issue. This is really more like a cyber version of the U2 being shot down.  

  • Interesting analogy, Dan Anderson.  The initial reports of the attack did mention social engineering and spoofing/phishing of specific individuals in the various target companies.

  • I agree with Dan. There was no mistaken worm getting out of control.  This attack targeted specific employees of Google, Adobe, and who knows where else.

    You might not need state sponsorship, but an attack of this scope isn't something you'd see by hobbyists.

    Also remember that the payoff was a collection of email headers from Chinese human rights activists.

    From there, it's not hard to connect the dots.

  • i would like to say in here is

    Security is what ___ what you don't know

    means you are only secure from the things you know and there are many things beyond that and you are not secure of

  • [But US analysts said at least Jiaotong University's networks are closely monitored, making them an odd choice for an independent attacker seeking to avoid detection. In addition, "Our investigation shows the hosts that did the attacks were not compromised that we could tell", said an analyst involved in that probe.]

    Weren't Google's own networks closely monitored?  Will any one believe a university's networks being more secure than Google's?

    And how could an investigation done remotely, weeks later after an incident, be sure that the host had not been compromised?  If this is true, then listing all the compromised hosts in the Internet should be a piece of cake, right?

Page 1 of 1 (9 items)