How attack on Google's Gmail skirted US security roadblocks
FBI will investigate Google charges that several hundred Gmail accounts were hacked by perpetrators in China. With the attack, hackers found 'a way around a roadblock,' one expert says.
Theft of e-mail account passwords and volumes of e-mail from hundreds of Gmail accounts was part of a systematic "campaign" by Chinese hackers to target senior US government officials, Chinese political activists, and officials of Asian nations – many from South Korea, including military personnel and journalists, Google officials say.Skip to next paragraph
Subscribe Today to the Monitor
At least some US State Department employees may have been targeted by the hacking campaign. The effort did not seem geared to stealing credit-card or banking information, but rather appeared to be harvesting e-mail from US and other key officials with knowledge about Chinese affairs, cyber experts say.
The methods used in this latest Gmail hack attack, revealed by Google on Wednesday, resemble those of a 2009 attack that harvested information from 1,295 computers in 103 countries. Nearly a third of those machines were located in "high value" places such as embassies, international organizations, and news media. The common thread: All shared a focus on Chinese affairs concerning Tibet, says Rafal Rohozinski, a principal the SecDev Group, an Ottawa-based cybersecurity consulting firm.
That year, he and colleagues and the University of Toronto exposed a worldwide espionage network they dubbed "Ghostnet."
"The tradecraft this particular attack embodies, trying to harvest credentials from Gmail, is exactly the vector we saw earlier with Ghostnet," says Mr. Rohozinski. "It's part of a big drumbeat that's been consistent for the last few years, with attackers targeting individuals and information in their e-mail that could be very helpful – especially if you are the Chinese government."
Similar penetrations of Canadian government e-mail systems discovered earlier this year caused the shutdown of three departmental networks – including the Canadian treasurer's department, which still does not have connection to the Internet, he notes.
Phishing is a standard technique cybercriminals use, sending perhaps millions of spammed e-mails in the hope that someone will be fooled into clicking on links, opening fake login pages, and typing in the passwords to their bank cards or credit cards.
But in the case of Google's Gmail service, the attackers used a different technique called "spear-phishing" – so called because certain individuals are specifically targeted. The hundreds of targeted individuals received fake e-mails apparently created specifically for them, and the e-mails tapped publicly available data from the Internet about the individuals in order to appear authentic. Such spear-phishing e-mails typically appear to come from a colleague or a boss, says Rohyt Belani, chief executive officer of Phishme Inc., a New York City-based provider of antiphishing software and training.
"Attacking these people through Gmail was a smart move, when you think about corporate and federal e-mail being more locked down now," he says. "This really represents hackers finding a way around a roadblock."
In this case, he notes, money isn't the object. Rather, the spear-phishers are after information that could be of diplomatic or strategic value.
"These were government employees" whose personal Gmail accounts were attacked, he says. "You had people working in the State Department and other critical positions. The targets point back to some very organized, government-backed activity."