Last month, Google announced to withdraw its services from mainland China following a series of sophisticated and coordinated hacking attacks dubbed as Operation Aurora, which targeted human rights activists’ Gmail accounts. These attacks originated from China and hence dismayed the authorities at Google who threatened, saying that it could no longer censor its search results on the Chinese version of Google homepage Google.cn.
The Google China fiasco then took a new turn when Google in a secret counter-offensive encounter managed to hack the Chinese hackers back by breaking into the source computer in Taiwan which was involved in these attacks. Google engineers also found out some evidence which indicated that the attacks were actually originated from mainland China and were possibly orchestrated by the Chinese government.
Now a leading computer forensic firm has provided the closest inside look at the nature of these attacks and attackers that had struck Google and others major US companies. The report though didn’t mention Google by name, or any other company for that matter, but focused mainly on information gathered from several forensic investigations the firm has conducted that are identical to what we know about the Google hack.
Here is a quick breakdown (courtesy Sebastian Anthony of Download Squad) of the report published by Wired on these attacks that employed against targets such as Google, U.S. Oil companies, defense contractors and counter-terrorism departments.
- A new form of attack is being leveraged by hackers, called Advanced Persistent Threats (APT) –think of APT as a ‘ticking bomb’, an apparently-benign piece of software that can be turned on at any time. These APTs can avoid detection and remain dormant for months or years, only turning on when the ‘coast is clear’. In this most recent case, an unpatched zero-day attack on Internet Explorer 6 was the entry point.
- These attacks are theft-oriented — the sole purpose behind these APT attacks are to get at sensitive data: email, Word documents, Powerpoint presentations, spreadsheets, etc. Corporate secrets, counter-intelligence, you name it.
- ‘Spear-phishing’ provides the way in — spear phishing is a ‘targeted’ attack where email, chat or other communication tools are used to trick individuals in a position of power. In this case, a campaign of phishing attacks tailored towards getting a counter-terrorism official’s password was successful. Once you have a way in — malware, via the high-ranking and high-clearance user — it’s much easier to get more data…and so the web of exploited and compromised machines and accounts grows!
- A very clever way of sending the data back home — once the network and users have been compromised and the data harvested, it has to be sent back. In these advanced APT attacks, data is compressed and then slowly leaked out of the home network using false headers and custom protocols sent over obscure or misleading ports (SSL, in this case).
The worst thing and perhaps the most scariest aspect of these attacks is that it’s almost impossible to detect or predict the occurrence of such an attack. Is this the beginning of the cyber war that we all have been fearing for years? In any case, lets hope that we have a proper counter plan against occurence of these attacks in future. [via Wired]