Chinese authorities behind Google attack, researcher claims

Forensics expert who examined malware believes it's too good to have come from independent hackers

The malware used to hack Google is so sophisticated that researchers brought in by the company to investigate believe the attack code was designed and launched with support from Chinese authorities.

According to Carlos Carrillo, a principal consultant for Mandiant, a Washington D.C.-based security incident response and forensics firm, the attack against Google last month was "definitely one of the most sophisticated attacks I've seen in the last few years."

Mandiant was called in by Google to look into the attack, and Carrillo was the project manager for the Google investigation. During an interview Friday, he frequently chose his words carefully, saying that there was much he couldn't discuss because the work was ongoing.

"The malware was unique," Carrillo said. "It had unique characteristics ... it was ... let's just say it was unique."

Other researchers who have examined the malware have also come away impressed. Thursday, Dmitri Alperovitch, vice president of threat research at McAfee, called the attack code "very sophisticated" and added, "We've never seen anything this good in the commercial space. In [attacks on] government, yes, but not commercial."

But what does that kind of expertise mean?

Carrillo is convinced that, given the sophistication of the code, it was produced with support from Chinese authorities. "This wasn't on the level of Metasploit," Carrillo said, referring to the open-source penetration testing framework whose exploits are often used by hackers to craft malware. "This wasn't something that a 16-year-old came up in his spare time."

When asked if the code quality pointed toward Chinese state support, Carrillo answered, "I would say so." He declined to elaborate.

Mandiant was called in to investigate the attack on Google "early in the process," said Carrillo, who refused to get more specific. McAfee's Alperovitch said that time stamps in the malware's command-and-control log files indicated the attacks began in mid-December and ended Jan. 4, when the hackers' servers were shut down.

In the announcement Tuesday that its corporate network had been hacked and intellectual property stolen, Google said the attacks had been discovered in mid-December. Google also said the attacker tried to access the Gmail accounts of Chinese human rights activists, a move that -- along with increasing censorship of the Web by China's government -- has prompted it to reevaluate its business in the country.

Carrillo also provided additional information to the still-sketchy framework of the attack, saying that the exploit of a vulnerability in Microsoft's Internet Explorer was not the only vector used by the hackers. That seemed to back up Microsoft 's assertion that the IE bug wasn't the sole cause of the break-ins.

And while the number of companies hit by the Chinese attacks have been reported as low as 20 to as high as 34, Carrillo said Mandiant's work indicated an even larger number may have been hit.

"Most of the time, companies find out [about such attacks] when they're contacted by third parties, like other companies or law enforcement," Carrillo said. "Until then, they're not aware they've been attacked. They don't have a clue."

But that's not a surprise in attacks like the ones that hit Google. "These [attackers] are very good at what they do," Carrillo said. "Without getting into details, their techniques allow them to masquerade as legitimate users, so traditional means of, for example, intrusion detection or antivirus security are for the most part ineffective."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer , send e-mail to gkeizer@ix.netcom.com or subscribe to Gregg's RSS feed .

Join the PC World newsletter!

Error: Please check your email address.

Tags GoogleCloudsecurityChina

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?