Google China cyberattack part of vast espionage campaign, experts say

By Ariana Eunjung Cha and Ellen Nakashima
Thursday, January 14, 2010; A01

Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said.

At least 34 companies -- including Yahoo, Symantec, Adobe, Northrop Grumman and Dow Chemical -- were attacked, according to congressional and industry sources. Google, which disclosed on Tuesday that hackers had penetrated the Gmail accounts of Chinese human rights advocates in the United States, Europe and China, threatened to shutter its operations in the country as a result.

Human rights groups as well as Washington-based think tanks that have helped shape the debate in Congress about China were also hit.

Security experts say the attacks showed a new level of sophistication, exploiting multiple flaws in different software programs and underscoring what senior administration officials have said over the past year is an increasingly serious cyber threat to the nation's critical industries.

"Usually it's a group using one type of malicious code per target," said Eli Jellenc, head of international cyber-intelligence for VeriSign's iDefense Labs, a Silicon Valley company helping some firms investigate the attacks. "In this case, they're using multiple types against multiple targets -- but all in the same attack campaign. That's a marked leap in coordination."

While it's difficult to say with certainty where a cyberattack originated because the Internet allows hackers to seemingly crisscross country borders and time zones in seconds, the issue is quickly turning into a source of diplomatic tension.

The standoff between Google and China touches on the most sensitive subjects in U.S.-China relations: human rights and censorship, trade, intellectual property disputes, and access to high-tech military technology.

"The recent cyber-intrusion that Google attributes to China is troubling, and the federal government is looking into it," White House spokesman Nick Shapiro said. He added that President Obama made Internet freedom "a central human rights issue" on his trip to China last fall.

Since it began operations in China five years ago, Google had agreed in theory to filter sensitive searches but clashed with the Chinese government on what material was covered, and the company regularly found its service blocked when it defied its hosts.

China's state media reported that the government is looking into Google's claims. In China, news about Tuesday's public rebuke by Google was heavily censored except for a stinging opinion piece in the official People's Daily that called the Silicon Valley tech giant a "spoiled child" and predicted that it would not follow through on its ultimatum.

The recent attacks seem to have targeted companies in strategic industries in which China is lagging, industry experts said. The attacks on defense companies were aimed at gaining information on weapons systems, experts said, while those on tech firms sought valuable source code that powers software applications -- the firms' bread and butter.

The attacks also focused on obtaining information about political dissidents.

"This is a big espionage program aimed at getting high-tech information and politically sensitive information -- the high-tech information to jump-start China's economy and the political information to ensure the survival of the regime," said James A. Lewis, a cyber and national security expert at the Center for Strategic and International Studies. "This is what China's leadership is after. This reflects China's national priorities."

Adobe, a software maker, confirmed on Wednesday that it learned of the attacks on Jan. 2 but said there was "no evidence to indicate that any sensitive information . . . has been compromised," while Symantec, which makes security software, said it is investigating to "ensure we are providing appropriate protection to our customers."

Dow Chemical said that it has "no reason to believe that the safety, security and intellectual property of our operations are in jeopardy." Yahoo and defense contractor Northrop Grumman declined to comment on the attack.

The attackers, experts said, followed the familiar "phishing" ruse: A recipient opens an e-mail that purports to be from someone he knows and, not suspecting malicious intent, opens an attachment containing a "sleeper" program that embeds in his computer. That program can be controlled remotely, allowing the attacker to access e-mail, send confidential documents to a specific address -- even turn on a Web camera or microphone to record what is going on in the room.

In many cases, a user does not know he has been the victim of an attack.

One type of attack exploits a flaw in Adobe Reader, a popular free program that allows e-mail users to read .pdf document files. The flaw was made public Dec. 15 but fixed only on Tuesday -- the day Google announced that its systems had been compromised.

Sara L.M. Davis, executive director of New York-based Asia Catalyst, which assists charities in developing countries, said she began to receive these fake e-mails shortly after the new year. The senders all appeared to be people with whom she regularly communicates. The subject lines contained topics -- "AIDS in China" or "Some photographs of you and Dr. Gao" -- that suggested familiarity with her and her organization.

"If I weren't already paranoid, I would have already opened one," Davis said.

Google declined to provide details on what exactly the attackers took and whether it included any information about super-secret search engine technology that drives the company's profits.

Nart Villeneuve, a research fellow at the University of Toronto, has analyzed attack e-mails sent to human rights groups over the past few months. Villeneuve, who works at Citizen Lab, which focuses on Internet and politics, helped research GhostNet, a vast cyberspying operation revealed last year that apparently originated in China and targeted the office of the Dalai Lama, foreign embassies and government offices.

He said the GhostNet attack resembles the strategy used against Google, other U.S. companies and human rights groups this time around. The attack e-mails to the human rights organizations could mostly be traced to "command and control" computers in mainland China. However, Jellenc said, the two attacks do not appear to have been carried out by the same group.

In August, someone obtained a list of 5,000 subscribers to the China Leadership Monitor, a respected quarterly publication from the Stanford University's Hoover Institution.

The subscribers received a fake e-mail from a Gmail account purportedly from the publication but with an attachment that would take over their computers. Alice Miller, a visiting professor at Stanford and the publication's editor, said she had worked with U.S. government investigators and said the attack originated in China.

Staff writers Cecilia Kang and John Pomfret contributed to this report.

© 2010 The Washington Post Company