Chinese government might not be behind Google attack

January 26th, 2010

Talk has begun percolating that Google’s threat to pull out of China could precipitate a Cyber Cold War.

But while all the marbles seem to be rolling in the direction of castigating China, there is an equally plausible perpetrator: garden-variety, profit-motivated cyber thieves out to amass industrial secrets which they can sell to the highest bidder.

“It is certainly a possibility that someone is doing this and leaving bread crumbs that lead you down the wrong road,” says Wolfgang Kandek, CTO at Qualys.

Amrit Williams, CTO at  BigFix, hopes we don’t too quickly forget the rush to blame North Korea for some lightweight defacing of South Korean and U.S. government and commercial websites last summer.

Rep. Peter Hoekstra (R-Michigan), the lead Republican on the House Intelligence Committee, called for a “show of force or strength” against North Korea. Turns out the crude attack was more likely the work of a cyber gang experimenting with new forms of denial-of-service attacks, while deflecting the blame to North Korea.

“This is all easy stuff to do. There seems to be proof that the computer servers (used in attacking Google) were located in China and that the malware was Chinese in nature, but it is almost impossible to prove the attacks were state sponsored,” says Williams.

Chinese fingerprints

Indeed, Zscaler senior researcher Mike Geide recently isolated the latest Chinese fingerprints relating to the cyberattacks of some 30 big tech, financial and media companies; the attacks that pushed Google to threaten China.

Meanwhile, governments worldwide, including the U.S., are suddenly hyper-focused on assessing their vulnerabilities and discussing cyberwarfare policies and protocols.

And companies world wide this week are – or should be – scrambling to install Microsoft’s emergency security patch for Internet Explorer – a zero-day hole used in the attacks on Google and the other corporate behemoths.

In this backdrop, Zcaler’s Geide took a closer look at www.latax.gov.cn – a Chinese government site with information about paying taxes.

Clicking to the site activated a sequence the culminated with the attacker gaining full access to the visitor’s harddrive via a freshly-discovered security hole in Microsoft’s Internet Explorer browser. The sequence continued, opening a backdoor through which the intruder installed a program to turn on the PC’s webcam, begin stealing sensitive data and hide its tracks.

Some 30 companies have reported getting their corporate networks breached in a similar sequence, the common thread being use of the IE security hole, and embedding of the same program to turn on the webcam, install a keystroke logger, and lock in the malicious code with a root kit.

Index pages manipulated

Geide’s discovery adds more evidence that the attackers responsible for what McAfee is calling Operation Aurora are communicating and coding in the Chinese language. He found that the initiating infection resided on the website’s indexing page. Every website has an indexing page, which directs the visitor to the content he or she is trying to get to. In order to corrupt the page, the attackers had to have access privileges to the host computer serving up the webpage.

There are only a few ways to get this access. “In order to have the ability to modify the indexing page you need privileged access rights to the webserver,” says Geide. “You can have them already, somebody on the inside can give them to you or you can steal them.”

Assuming the Red Army didn’t do this or condone this, an outsider could fairly easily do this by planting a sniffer program somewhere on the government’s network and homing in on the needed credentials. Or they could have used a SQL injection attack to hack the Web server.

The coding that embedded the Web cam, keystroke logger and root kit derived from a common do-it-yourself crimeware kit, called Hupigon. The menu-driven controls for Hupigon are in Chinese, and the kit is marketed primarily on Chinese language criminal forums.

“The evidence suggests, at the end of the day, that Chinese individuals were behind putting this on the Chinese government’s website,” says Geide. “Whether they had the government’s cooperation or not, I cannot state.”

Geide says, as of Tuesday morning, 26Jan2010, these Chinese government websites reportedly carry the same attack sequence:

  • .wscz.gov.cn
  • .zhepb.gov.cn
  • .jssalt.gov.cn
  • .xfgh.gov.cn
  • .laspzx.linan.gov.cn
  • .zsjs.nmfc.gov.cn

In these cases, the prospective victims would presumably be Chinese-speaking citizens visiting the government websites, says Geide. But he adds that could include Chinese-speaking employees of Western companies doing business in China, who would have reason to visit the government sites.

“The prevalence of malware on GOV.CN webpages needs to be further investigated,” says Geide.

Patching implications

Meanwhile, Microsoft issued an emergency patch last week to close the security hole that enables this type of attack. The patch is being automatically distributed to millions of individual PC owners via Microsoft’s Windows auto update service. Home PC users should make sure they are current on Windows updates, since these infections can lurk on other webpages, as well.

The risk of getting infected by the Operation Aurora attackers will remain high for some time to come, security experts say. Most big companies in the West do not install security patches on workplace PC until completing extensive testing, which can take weeks, says Kandek.

Also, most individual Windows PC users in China – an estimated 90% – use pirated copies of Windows that do not qualify for security patches, says Matt Rosoff, tech industry analyst at research firm Directions on Microsoft.

“This is a defining moment bringing much needed attention to how inadequate our cyber defenses in the private and public sectors really are,” say BigFix’s Williams. “But if this escalates into government leaders suggesting a kinetic response, that’s very bad.”

UPDATE/CLARIFICATION: Apologies to Matt Rosoff, who has tracked Microsoft’s strategy to deal with China policy closely for years. For the record, Matt did not explicitly say in an interview with me that pirated copies of Windows do not qualify for Microsoft security patches. In fact, most users of pirated copies Windows can get security  updates.  Sophos analyst Chet Wisniewski points out that Microsoft actually has provided a free-pass for users of pirated copies of Windows to get security updates.

“This can be an important message to get out, as pirated Windows users in the US should not be afraid of patching as Microsoft  is not tracking security downloads,” says Wisniewski.

Whether many users of pirated copies of Windows are aware of — or trust — Microsoft’s nuanced effort to make security patches available to them is unknown.

“I preach whenever someone is listening that users should trust Redmond for their word on this one, and that infected pirated copies of Windows are not doing anyone any good, especially Microsoft. It hurts their reputation and piracy or not people should feel obligated to do their part for a safer Internet.”

By Byron Acohido