The Public Eye with Eric Chabrow

Did Study Foresee Google Attack?

Did Study Foresee Google Attack?

Did a report prepared for the government last fall foresee the attack on Google and a dozen other American companies in December?

A report last week in The New York Times says the attacks have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military.

A report published last October by Northrop Grumman for the government's U.S.-China Economic and Security Review Commission describes Chinese academics being involved in computer exploits similar to those that may have been used in Operation Aurora, as the attacks on Google, Adobe Systems, Juniper Networks, Rackspace and others are known.

The Northrop study didn't mention Google, and the news account didn't tie specific research being conducted at two schools cited as possible originating sites of the digital assaults: Shanghai Jiaotong University and the Lanxiang Vocational School.

Still, the report, Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, and news story both described similar methods of how the alleged Chinese hackers penetrated the American corporate IT systems.

The Times article cited forensics analysis of the Google attack as yielding new details on how the intruders exploited the flaw to gain access to internal corporate servers:

"They did this by using a clever technique - called man-in-the-mailbox - to exploit the natural trust shared by people who work together in organizations. After taking over one computer, intruders insert into an e-mail conversation a message containing a digital attachment carrying malware that is highly likely to be opened by the second victim. The attached malware makes it possible for the intruders to take over the target computer."

Similarly, the Northrop report published four months earlier said:

"E-mail is the most common entry vector because the operators are often able to learn an employee's (or group of employees') trust relationships (i.e. their professional networks) by analyzing who they frequently e-mail. The intruders then craft credible looking e-mails from members or groups within an individual's network that the target will likely open."

The Northrop study says some Chinese academics have focused their research on zero-day vulnerabilities. A zero-day attack exploits a vulnerability in a program known to a hacker but unknown to the software's developer. The term zero-day refers to an attack occurring on or before the first day a developer becomes aware of the flaw and able to correct it.

"Anecdotal reporting from information security industry sources suggest that Chinese researchers are also willing to purchase zero day attack tools from third party sources, though this has not been independently corroborated.
"Zero day exploits are bought and sold in numerous public and private markets without the involvement of the victim software's vendors, often for tens of thousands of dollars per vulnerability."

The attacks described here represent the tip of the iceberg of what's emanating from Chinese, as the Northrop report somberly notes:

"Chinese industrial espionage is providing a source of new technology without the necessity of investing time or money to perform research. Computer network exploitation in support of these collection requirements has possibly expanded the range and detail of information available for collection in a way that previously required close HUMINT (human intelligence)-enabled access to obtain the data (e.g. an agent inside or close proximity to a U.S. citizen and their laptop or other electronics).
"Chinese espionage in the United States, which now comprises the single greatest threat to U.S. technology, according to U.S. counterintelligence officials, is straining the U.S. capacity to respond. This illicit activity both from traditional techniques and computer-based activity are possibly contributing to China's military modernization and its acquisition of new technical capabilities."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.