This post is my analysis of publicly information available on the attack against Google. I think that Google linked to my blog and the GhostNet report because of similarities in methods, not because the two cases are linked. This post combines my analysis of Google’s statement, media report and my experience with other attacks — that doesn’t mean that this is exactly what happened in the attack on Google.

There’s been a lot of chatter about how Google and 30+ other companies were compromised. Adobe has issued a statement saying that they too were compromised they still won’t say if attacks are in fact linked. Yahoo! stated that they were “aligned with Google” and it is now being reported that Yahoo! was among the other unnamed victims in the attack.

The timing of the compromise is interesting because it coincides with a 0day vulnerability in Adobe Reader. It has been suggested that this was the attack vector. The coincidence is interesting and I think that this claim is fairly credible.

UPDATE: McAfee reports that the compromise was an Internet Explorer 0day:

Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7. Still, so far the attacks we’ve seen using this vector have been focused on Internet Explorer 6. Microsoft has been working with us on this matter and we thank them for their collaboration.

While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.

iDefense has stated that they were able to investigate these attack since some of their customers were also hit:

IDefense was called in to help some of the victim companies that Google had uncovered. According to Jellenc, the hackers sent targeted e-mail messages to victims that contained a malicious attachment containing what’s known as a zero-day attack. These attacks are typically not detected by antivirus vendors because they exploit a previously unknown software bug.

“There is an attack exploiting a zero-day vulnerability in one of the major document types,” Jellenc said. “They infect whichever users they can, and leverage any contact information or any access information on the victim’s computer to misrepresent themselves as that victim.” The goal is to “infect someone with administrative access to the systems that hold the intellectual property that they’re trying to obtain,” he added.

The attack vector is very similar to GhostNet, but, it is a very common form of attack. Mikko Hypponen (who is awesome) told the BBC:

“This wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly. said Mikko Hypponen, of security firm F-Secure.

“Most companies just never go public,” he added.

“Human-rights activists are the biggest target,” said Mr Hypponen. “Everyone from Freedom for Tibet to Falun Gong supporters and those involved in Liberation of Taiwan are hit.”

I tend to agree. It is not the method of attack that is the story here, its the high profile of the victims and public disclosure by Google as well as Google decision to challenge China’s censorship that have made it so interesting. Really, we investigate these kind of attacks (usually on human rights activists) all the time.

In short, a user receives an email, possibly appearing to be from someone that they know who is a real person within his/her organization, with some text — sometimes specific, sometimes generic — that urges the user to open an attachment (or visit a web site) usually a PDF or Word Document (but other document types are also common). If the user open that attachment with a vulnerable version of Adobe Reader or Microsoft Office their computer will be compromised. The antivirus detection for these documents is usually relatively low and if the exploit is a 0day — an exploit for which there is no fox form the vendor available — the chances of compromise are very good.

After the user’s computer is compromised it “checks in” with a command and control server (C&C). These days it is most common for this check in to be an HTTP connection — it often looks like just another visit to a website — in which the compromised computer sends some information, usually an IP address and operating system etc… — and receives a command which it then executes. From there the attacker has full control of the system. The attacker can steal documents, email etc… force the compromised computer to download additional malware and use your infected computer as a mechanism to exploit your contacts or other computers on your network.

One of the things I like to track closely is the network infrastructure of the attackers — the location of their command and control servers as well as the mechanism of communication and other properties of the malware that allows for seemingly disparate attacks to be linked together. There has been some information published about the command and control servers used in the Google attack. James Mulvenon, who really knows his stuff, stated that the C&C’s were in Taiwan, the drop site for stolen stuff was on a US IP:

The attacks appear to have been launched from at least six Internet addresses located in Taiwan, which is a common strategy used by Chinese hackers to mask their origin, said James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc. a national-security firm.

They also hijacked the Internet address of a San Antonio-based firm, Rackspace, which is one of the largest Internet-hosting companies in the U.S. They siphoned off the stolen data from Google and other companies to the San Antonio site before sending it overseas, Mr. Mulvenon said. A Rackspace official said, “A server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyber attack, fully cooperating with all affected parties.”

In addition, a dynamic DNS service was reportedly used:

iDefense obtained samples of the malicious code used in the July attack and the more recent one and found that although the malware was different in the two attacks, the programs both communicated with similar command-and-control servers. The servers each used the HomeLinux DynamicDNS to change their IP address, and both currently pointed to IP addresses belonging to a subset of addresses owned by Linode, a US-based company that offers Virtual Private Server hosting.

“The IP addresses in question are . . . six IP addresses apart from each other,” iDefense said in its statement. “Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the [recent] Silicon Valley attacks have been compromised since July.”

UPDATE: Apparently one of the pieces of malware used was the Hydraq Trojan.

And what did the attackers steal? Google stated that there was “theft of intellectual property”, some suggest that the attackers stole source code:

But according to iDefense, whose customers include some of the 33 companies that were hacked, the attacks were well targeted and “unusually sophisticated” and aimed at grabbing source code from several hi-tech companies based in Silicon Valley as well as financial institutions and defense contractors.

However, Google stated that the”primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” and that the attack was partially successful:

Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Others state that Google’s internal intercept systems were attacked:

That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. “Right before Christmas, it was, ‘Holy s***, this malware is accessing the internal intercept [systems],'” he said.

Now some people have come forward, a Tibetan activist for example, saying that their email accounts had been breached.

Who is behind the attacks? Google didn’t really say who was behind the attacks . iDefense, who may be overreaching here, stated that it was the “Chinese state”:

“We confirmed with some clients and partners of ours in the defense contracting community that the IP addresses used to launch the attacks are known to be associated with previous attacks from groups that are either directly employed agents of the Chinese state or amateur hackers that are proxies for them that have attacked other U.S. companies in the past.”

In fact, attribution in these sorts of attacks is very difficult. Often people rely on the geolocation of an IP address — that’s not good enough. In these case the C&C’s were apparently in Taiwan and the drop site in the US. What does that tell us? Through piecing together seemingly disparate bits of information over time it is possible to make an educated guess. What makes the process difficult and tenuous is that the attackers might be quite different persons from those to ultimately exploit the data the attackers gather. It is the interpretation of the political dimensions of the attack that lead to a determination of who might ultimately have benefited the most form the attack, not technical evidence. Therefore there is room for a lot of uncertainty.


  1. ‘afternoon Nart,

    Great blog!

    One quick question on the quote from Mikko:

    > If the user open that attachment with a vulnerable version
    > of Adobe Reader or Microsoft Office their computer
    > will be compromised.

    Is that not oversimplifying the situation. For the computer to be compromised, don’t a couple of other requirements also need to be met including:

    1) Running with privileges that allow the malware to open ports, modify OS settings, etc.

    2) Have no outgoing firewall protection, so that the malware can open its backdoor ports.

    3) In the Acroread case, have Javascript enabled; I’m not sure what the scripting requirements are for IE.

    Could I ask your opinion please?


  2. […] best-detailed analysis I have been able to find is by Nart Villeneuve on his blog. In his report he suggests that a […]

  3. […] Execution. Altre informazioni si trovano nel post di Kim Zetter su Threat Level (Wired) e in una nota del solito Nart Villeneuve. Come dire che il problema non è il cloud computing in sé, ma […]

  4. Thanks for the synopsis. Well done.

  5. One of the comments on the Wired article said:
    “This, my friends, is war. Much like the current war on terror, this war will not be lead by nations. It will be fought in 1s and 0s and our casualties will be our most precious information.”
    The Chinese have a less than ideal view of IP, summarised by what ours is ours, and yours is ours.
    IMO the world should take notice of this event and what Google is doing and support them wholeheartedly. I see the historical parallel when the world doing nothing when Stalin put a barbed wire fence around Berlin. Had the world taken prompt and strong action then; there’s a good chance we wouldn’t have had the Berlin Wall.
    Microsoft has taken the short-term view that it’s OK for the Chinese to steal IP from US companies; particularly galling when part of the hacks appears to be weakness in their Internet Explorer that was exploited.
    Yes, it’s very easy for Microsoft and others to turn a blind eye and think of the money but Google is doing the right thing; the others will watch their values decline as rapidly as their Intellectual Property flows into Chinese servers.
    Google is doing the right thing; they appear cognitive of Edmund Burke’s ‘The only thing necessary for the triumph of evil is for good men to do nothing’.

  6. @Tim — Yes, it is a simplification as I was generalizing what happens in such attacks. But yes, many of the Adobe Reader exploits can be mitigated by turning off Javascript in Adobe Reader, but since it is on by how many people actually do? MS Office products are also being exploited, in general, some explots require specific service packs and so on but the attacks work on most people. Also, there’s the question of AV’s and while they don’t detect the malicious doc or pdf they may detect the binary that gets dropped. So not all attack will work on all targets. (I mean, really most of these are targeting WindowsOS too).

    Also, if you read McAfee’s assessment of the new IE 0day you can see how bad it can be — fully up-to-date OS/IE and no AV detection. That’s pretty bad, if you click the link an attacker sends you’re gonna get whacked. That’s why I was emphasizing the part about tricking the user, that’s the most important part.

  7. […] analiza a incidentului recomandata de Google este cea facuta de Nart […]

  8. […] Villeneuve excellent summary of the […]

  9. @tim

    You do raise an important issue of over simplification but on the contrary the points you listed are very easy to get past, in fact they hardly play a role in a windows pc. Do read on as you may find this interesting. I have personally been involved in one such investigation more than a year ago.

    The trojan arrived by a socially engineered email
    The exe name of the file was wupdmgr – antiviruses have an exclusion or exceptions defined on this file name – first weakness
    The local user had local admin priv – most common with home users and small to mid companies who do not have a large it budget
    Upon execution of wupdmgr – it created firewall exceptions and registered it self as a service – the communication back to command center had already started
    If u see the services list nothing looks out of the ordinary – this service was called Internet Connection Manager – under normal circumstances there is no such service – even a good eye may not catch it
    The level of sophistication was just unbelievable – they directly elevated dcom privileges and ran
    Interestingly once the backdoor was in place – more sophisticated tools arrived to the pc – one such tool took the lm hash of the domain admin – used the hash and injected directly to spwan a cmd shell – they could then map c$ d$ on servers

    If you look at the overall scenario – it simply preys on the fact that the pc is never ever secure and will never be given the kind of IT budgets these end users have or the small orgs that nat is referring to – it also shows how blind sided Msoft is as well

    @nat great article and yeomen work

  10. uk visa lawyer,

    silly, all states engage in espionage to some degree or another. It isn’t necessarily an activity ordered by the leader of that state. See Enercon for example and someone at the NSA passing their tech to a US firm via super-secret spy satellites. Not to get political, but… the “what is yours, is ours” is an attitude that many people would identify much more strongly as being expressed by the US, not by China.

  11. Thanks for the article. This is the most informative piece of writing I have found on this topic. It’s all over the news, but not in enough detail. Regular news never goes into enough detail to get a thorough understanding of what’s actually going on with something that is clearly very complicated.

  12. @roger,

    Thanks for your reply. Its certainly a very interesting topic to discuss, so thanks for your time.

    You note an interesting point: “The local user had local admin priv”. Sure the local user was tricked by the malicious email, and sure the malicious code is very sophisticated, but is the core problem simply that the user is running as admin? Or to put it another way, if the victim was not running as admin, could the malware have achieved anything more significant than toasting the user’s account and associated data?

    I don’t mean to labor this point; I’m just trying to understand what advice I can give people which is both realistic and satisfactory.

    Thanks again,

  13. It is great to see a company like google want to offer the people of china the freedom of being uncensored ! However it is a pipe dream. As new ways are developed for the people of China to express themselves or have complete freedom, the Chinese government will develop “laws on the fly” baring that freedom.
    I wish Google much support in their efforts – the people of China need a free uncensored internet – everyone does , but they will do whatever it takes to shut google down. Its a shame if google bails out of China, the Chinese government will get their way and win the censorship war!

  14. @Tim

    The answer to your question is Yes. There was code that used Dcom and ran it on Elevated privileges it was not necessary to be running as admin.

    In a second incident investigated – The malicious code executed on simply right clicking the exe file. It is so common for admins to right click a file and try to look at the properties to see if its signed etc before taking the next step …


    You mention Hydraq as the possible malware currently used , in the incidents i investigated it appeared to be Hupigon . Would you have any means to know if hydraq and hupigon share similar code ?

    Also the registry entry created had obfuscated the path to the executable to avoid detection from tools

    It never appeared that there was a specific information they were targeting – it always appeared as a grab all that you can get! .. This makes one issue clear that the front line attacker is pulling files out and someone else in the back is sifting thru it for further use

Post a comment.