Google said Wednesday that hackers based in China gained access to hundreds of Gmail accounts, including some belonging to senior U.S. government officials and military personnel. The personal Gmail account of one Cabinet-level official was compromised, an official with knowledge of the breach said.
The hackers allegedly used a “phishing” campaign to trick users of the popular e-mail service into revealing their passwords, which allowed the perpetrators to monitor incoming and outgoing messages.
Vast quantities of e-mail content were accessed, according to two people with knowledge of the breach. They said the FBI was notified last week and that there was some debate within Google about whether to publicize the incident, because to do so could foreclose investigative options.
Google said the targeted attack appeared to originate from the Chinese city of Jinan and also hit the Gmail accounts of journalists, Chinese political activists and South Korean and other Asian officials. Google determined that its users were attacked by phishing schemes, typically e-mails that trick the recipient into surrendering personal information or clicking on links that infect the computer with a virus.
After announcing the incident on a blog post, Google did not elaborate on which U.S. officials were affected, how long the users’ accounts were exposed, or whether the attacker appeared to be a government agent.
U.S. authorities said no official government e-mail systems were breached, but it was unclear whether any of the victims forwarded their work e-mails to Gmail accounts.
The episode escalated tensions between the search giant and the country with the world’s biggest Internet user base. Google pointed the finger at China last year after an attack on its network, and Yahoo blamed Chinese hackers for an attack on its e-mail service. The Lanxiang Vocational School, which trains some computer scientists for the Chinese military, is located in Jinan, where the latest campaign appeared to originate. The school was implicated in last year’s hacking attack on Google.
A Chinese Foreign Affairs Ministry official said Thursday that “any blame against China in this [latest incident] is groundless and with an ulterior motive.” The official, Hong Lei, said in an e-mailed statement that the “Chinese government is firmly opposed to any cyber criminal activity, including hacking . . . [and] is ready to cooperate with the international community to combat against it.”
The White House’s National Security Council said it is looking into Google’s announcement and working with the FBI to investigate.
The Department of Homeland Security has contacted Google and other federal agencies to offer analysis of any malicious activity and develop solutions to reduce further risk, Homeland Security spokesman Chris Ortman said.
Col. Dave Lapan, a Pentagon spokesman, said the Defense Department was aware of news reports about the breach but “has not been contacted directly.” Lapan said that “we are unaware if the targeted individuals are Defense employees.”
The incident raised questions about the security of popular Internet-based e-mail services and social networking applications that have become important tools for politicians and activists.
“Everyone who sends an e-mail over the Internet should think of it as a postcard rather than a note in a secured envelope,” said Dave Ausprey, a vice president at security software firm Trend Micro.
A flurry of recent security breaches have compromised the accounts of Sony PlayStation users, Lockheed Martin employees, Best Buy customers and politicians.
The incident comes as the federal government has been ramping up efforts to shift large swaths of its computing infrastructure to Internet-based applications offered by Google, Amazon, Microsoft and Yahoo.
Instead of relying on expensive in-house computer servers that require pricey upgrades, U.S. chief information officer Vivek Kundra has been pushing agencies toward “cloud” services, so-called because they are hosted on a vast network of computers in many locations. Such services offer workers greater flexibility and interfaces similar to what they use in their personal lives.
The General Services Administration recently became the first federal agency to officially adopt Gmail, saying that gradually switching its 17,000 employees from Lotus Notes would save about 50 percent in information technology expenses over five years. About 500 or so employees have made the switch so far, GSA officials said recently.
The Agriculture Department recently struck a deal to use Microsoft’s cloud-based e-mail service.
A spokeswoman for Kundra at the Office of Management and Budget referred questions to the FBI.
The security of commercial networks became a major issue a year and a half ago when Google accused China of stealing intellectual property online and compromising the Gmail accounts of Chinese human rights activists.
At least 34 financial, defense and technology companies — including Yahoo, Symantec, Adobe, Northrop Grumman and Dow Chemical — were also attacked at that time by hackers suspected to be Chinese, according to congressional and industry sources.
After that attack, Google sought the help of the National Security Agency in analyzing the penetration of its networks.
In general, the issue of how the U.S. government should respond to or help prevent cyber attacks against private companies is one of the most difficult security issues facing policymakers today.
Though the Department of Homeland Security is the lead U.S. government agency for protecting critical infrastructure, it lacks authority to mandate and enforce security standards.
“The government has strikingly few tools to induce industry to improve security,” said Stewart A. Baker, former Homeland Security assistant secretary for policy and a former NSA general counsel. “There’s been some effort to deal with those issues, but only modestly effective.”
kangc@washpost.com
Staff writers William Wan in Beijing and Scott Wilson, Michael Rosenwald and Jerry Markon in Washington contributed to this report.