China’s cyberspies aren’t the only ones prowling Internet

January 15th, 2010

Google’s taking umbrage over Chinese cyberattacks has security experts talking about just how vast and rich the world of cyber espionage has quietly become.

“It isn’t just China,” says Matt Moynahan CEO of applications security firm Veracode. “They are the most aggressive. But all large governments are doing this, as are organized non-government actors.”

Indeed, China, Russia, North Korea, Iran, Israel, France, the United States and the United Kingdom are widely known to possess state-of-the-art cyber espionage know-how which is put to use gathering  economic and military intelligence. Details of covert cyber-ops get discussed at numerous conferences attended by military brass, federal regulators, law enforcement officials, privacy advocates and tech security analysts.

“The consensus discussion is that everybody is busy spying on everybody else,” says Jody Westby, CEO of consulting firm Global Cyber Risk and a distinguished fellow at the Carnegie Mellon CyLab think tank.  “These countries are doing it to us, but we’re also doing it to them.”

With little fanfare, Secretary of Defense Robert Gates, underscored as much on 24Jun2009. Gates stood up a new Department of Defense subcommand focused on cybersecurity under the U.S. Strategic Command.

“This is about trying to figure out how we, within this department, within the United States military, can better coordinate the day-to-day defense, protection and operation of the department’s computer networks,” Pentagon Press Secretary Geoff Morrell told reporters at the time.

And last month, on 22Dec2009, when many of us were doing last minute gift shopping, President Obama named Howard Schmidt to the newly created post of White House cybersecurity adviser. Schmidt’s assignment: coordinate economic and military cybersecurity policy.

Schmidt, former Microsoft exec and Bush Administration appointee, is the cyber czar Obama said he would name in a watershed 29May2009 speech. He is the linchpin personnel piece to Obama’s plan for taking a leadership role in making the Internet safer.

Cyber black-ops

The cyber-espionage slice of the Internet underground traces its beginnings back to 1993 when the Russians first began developing black-ops teams to concentrate on intelligence gathering using the Internet, says Alan Paller, managing director of The Sans Institute think tank.

China was fully into cyber-spying by 2003 when a Chinese black-ops team, designated Titan Rain, roamed deep inside U.S. Department of Defense networks. By 2006, corporations in the U.S. and Europe were heavily infiltrated by China and other nation-states, says Paller.

A watershed warning came in December 2007. Jonathan Evans, Britain’s Director-General of MI5, cautioned 300 senior execs to guard against Internet assaults from “Chinese state organizations.” Such attacks, Evans warned, are designed to “defeat best-practice IT security systems.”

Evans said at the time ” ‘If you’re doing business in China, your company’s network and your company’s lawyer’s network are very likely being penetrated,’ ” says Paller.

Cyber-intruders today routinely go after corporations, their law firms — and even their public relations firms, according to an Evans-like warning issued by the FBI last November. “They’re after the corporate playbook,” says Paller.

Google’s patience runs out in 4 years

It took Google this week threatening to pull the plug on its China operations, to shed a bright  light on the rising collateral damage caused by unchecked cyber espionage –  for  economic and military strategic gain. Since agreeing to submit to China’s censors in exchange for opening a beachhead office in Beijing in January 2006,  Google CEO Eric Schmidt has stated on numerous occasions, as recently as October, 2009:  “China has 5,000 years of history, Google has 5,000 years of patience.”

In Chinese culture, the numbers five, eight and nine are auspicious. The number four is associated with death and considered extremely unlucky. On Tuesday, 12Jan2010,  after just four years in Beijing,  Google’s patience died.  Citing irritation over cyberattacks it loosely linked to censorship dictates, the search giant said it will no longer adhere to censorship rules as they stood.

Google chief legal counsel David Drummond issued a press release with  details about how Google got hacked and why its patience had run out:

  • In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.  First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses . . .   Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists…
  • … These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results… over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The power of ‘no mas’

Google had stepped  forward and made  the same choice boxer Roberto Duran made, when Duran could tolerate no more elusive footwork and peppering blows from Sugar Ray Leonard. This  seemed to give permission for other Western companies to speak up. Subsequently, Adobe, Northrup and Juniper came forward to disclose that they, too, were similarly targeted and breached by presumed Chinese attackers.

Then on Thursday, 14Jan2010, security firm McAfee contacted LastWatchdog with information that several of its customers had been likewise  hit. McAfee CTO George Kurtz told me his  researchers had isolated a sample of the attack sequence and malicious codes used.

According to Kurtz, the attackers began by sending emails and instant messages personally addressed to senior technical managers, enticing them to click on a corrupted Web page link. Clicking on the link activated a freshly-discovered security hole in Internet Explorer web browser, which Microsoft embeds on all Windows PCs. Through this hole the attackers installed a program that allowed them to  take control of the PC.

They then  “began probing the network for high value intellectual property,” says Kurtz. Extracted data was sent to servers hosted by Rackspace, a San Antonio, Tex, web hosting company, and then transferred again to other servers.

This type of hybrid attack wasn’t at all innovative, nor was the attackers’ use of a security hole that exists in all versions of Microsoft’s Internet Explorer Web browser. This is referred to as a zero-day vulnerability. Microsoft has patched hundreds of zero-day vulnerabilities since 2004. The software giant said Thursday it has begun work on a patch for the latest zero-day — the one intruders used to extract data from Google.

There’s a constant flow of fresh zero-days because computer code is complex. Researchers, known as Whitehats, continually flush them out so they can be patched. Meanwhile, bad guy programmers, called Blackhats, do the same to sell them to cyber-intruders — for up to $100,000, according to Moynahan — who use them to steal data before any patches exist.

While their methodology was ordinary, the tools and techniques used by the cyberspies who breached its customers’ networks  were no amateurs. “It wasn’t a 13-year-old king who pounded out a quick Trojan,” says Kurtz. “There were no corners cut in targeting these specific companies and in escaping detection as long as possible.

CYBERsitter’s intellectual property stolen, its law firm targeted

At roughly the same time  McAfee’s researchers were reverse engineering the Google attack, a live case of Chinese hackers going after a law firms unfolded in Los Angeles.

Gregory Fayer,  a lawyer at L.A. firm Gipson Hoffman & Pancione received an obviously faked email purporting to come from his managing partner. Fayer told LastWatchdog that  more than a dozen employees at the firm had received similar faked e-mail messages on Monday, 11Jan2010.

A week earlier, Fayer had filed a $2.2 billion lawsuit against China on behalf of Santa Barbara-based CYBERsitter, maker of a Web browser filter parents buy to keep their kids off porn sites. The lawsuit accused China of copying CYBERsitter’s proprietary program and using it lock, stock and barrell in a misguided  state-sponsored child-protection censorship service, called Green Dam.

“The Trojan emails were located within China — the ISP routing shows there was a Chinese source, ” says Fayer. ” I’m not sure I can say a lot beyond that. We feel reasonably confident at this point that there was a connection with China.”

By Byron Acohido