Google cyber attack: the evidence against China

Hackers in China are attacking US companies like Google with 'professional quality, organization, and discipline' – raising the specter that the government is involved in the cyber attacks.

Jason Lee/Reuters
A man walks towards the Google China headquarters in Beijing, Wednesday.

Google's announcement yesterday that cyber attacks emanating from China "resulted in the theft of intellectual property" from the search-engine giant adds to the drumbeat of allegations of Chinese cyberattacks on US targets.

Such attacks have occurred with increasing frequency in recent years, from the pilfering of e-mail systems belonging to the US Secretary of Defense to the theft of advanced weapons designs from defense contractors.

Google said its own investigation found that at least 20 other large companies from range of industries, including the Internet, finance, technology, media, and chemical sectors were similarly targeted in December. Software maker Adobe on Wednesday apparently became the first company to acknowledge that assertion, saying its corporate network, too, was attacked.

"We are still in the process of conducting our investigation into the incident," Wiebke Lips, an Adobe spokeswoman, told Computerworld. "It appears that this incident and the one Google announced earlier are related."

The sophistication of these attacks and others have led experts to suggest that the attacks have been coordinated or at least approved by the Chinese government. Some senior US officials have been particularly blunt.

"Some [attacks], we have high confidence, are coming from [Chinese] government-sponsored sites," Joel Brenner, former office of National Counter-intelligence executive told the National Journal in an interview last year.

Not the work of amateurs

The evidence is circumstantial and comes from several cases where US corporate networks have been infiltrated by hackers from China and data removed.

What the cases reveal is meticulous organization with the highest levels of technical sophistication – sophistication beyond the abilities of amateur hackers, experts say.

“These types of operational techniques are not characteristic of amateur hackers operating in widely dispersed geographic areas,” according to a recent study conducted for the US-China Economic and Security Review Commission.

In an analysis of one particular attack on a US company, the review commission stated: “Even if these were freelance operators not directly affiliated with a state or military organization, they had a professional quality, organization, and discipline."

Among the best documented accounts of a highly orchestrated and systematic cyberespionage attack came in March when Canadian researchers identified 1,295 computers in 103 countries infected by spyware and operated by a "GhostNet" or network of computers.

The Tibet connection

Unlike many viruses that infect randomly, the compromised computers of GhostNet belonged to high-value targets like embassies and nongovernmental organizations. Their common thread was the foreign policy concerns of China, the report found.

Many had a Tibet connection – including computer systems at the offices of the Dalai Lama and other Tibetan targets.

Researchers found through reverse engineering "a covert, difficult-to-detect, and elaborate cyberespionage system capable of taking full control of affected systems," according to a March report by Information Warfare Monitor, a group that includes University of Toronto Researchers and The SecDev Group, an Ottawa cybersecurity firm.

In each case, a Trojan program was downloaded that allowed the attackers real-time control of the computers traceable to "commercial Internet accounts on the island of Hainan," home of the lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army.

"Definitely what we're seeing is a new method of infiltrating targeted computers," says Ron Deibert of the Munk Centre for International Studies at the University of Toronto, whose team identified the existence and targets of the GhostNet in an article published in March 2009.

"The significance of GhostNet is that the targeted computers were collected using targeted malware in a systematic manner, not randomly – and because of their strategic relationship to each other," he says. "They all related in some manner to China's strategic, economic, or foreign policy interests."


The GhostNet system attacks used e-mails with subject matter that is tailored to be relevant to the target, along with an attachment "packed with exploit code and Trojan horse programs,” the report said.

Once the attachment is opened, “files located on infected computers may be mined for contact information and used to spread malware through e-mail and document attachments that appear to come from legitimate sources, and contain legitimate documents and messages," the report said.

That's a pattern that has been replicated at other companies – and the US more broadly, according to the US-China commission report.

The information targeted in the US could potentially benefit a rival nation’s “defense industry, space program, selected civilian high technology industries, [or] foreign policymakers interested in US leadership thinking on key China issues,” the report says.

China's response

In an official statement in November, Chinese Foreign Ministry spokesperson Qin Gang chastised the US-China commission report’s findings.

“The report takes no regard of the true situation,” he said in a statement posted on a government web site. “It is full of prejudice, and out of ulterior motive. We urge the so-called commission not to see China through colored lens and not to do things that interfere with China’s internal affairs and undermine China-US relations."


Follow us on Twitter.

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.