China vs Google, a thrilling tale of IT espionage

Google took the unusual step of announcing the ultimate target of the attack: “We have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists”. Google is sharing these details because apparently “this information goes to the heart of a much bigger global debate about freedom of speech.”

Google has been happy in the past to acquiesce to Internet censorship in order to do business in China. It didn’t simply wake up one day and decide to honour its “Don’t Be Evil” slogan.

Google now finds itself in a hostile business environment, an environment where the Big Boys use dirty tricks – surveillance, theft, hacking and corporate espionage – and Google is not accustomed to being technologically outclassed.

While some of the best and brightest minds in IT Security have been hired by Google, the Chinese government has quietly building the same capabilities, albeit geared to offense rather than defence.

Google’s internal network was compromised using a previously unknown vulnerability that affects Microsoft’s Internet Explorer browser.

The attackers lured a Google employee to browse to their website, launched the attack against the IE browser which punched a hole through the network’s perimeter defences and allowed the attackers to create a channel back into the internal corporate network. Once this channel had been created, the attackers were able to jump from the compromised Google workstation to other locations inside the network.

This is a classic client-side attack, flawlessly executed in a professional manner.

Usually we see these sort of browser attacks used by low-level criminals to install spyware on your granddad’s PC. In this case, the payload was far more sophisticated and targeted directly at Google employees. This was a blackhat corporate espionage job and big team effort.
The big headlines over the Google compromise seems to have lead many people to wonder “how on earth could Google be hacked?”, but in reality, this is just another run-of-the-mill browser vulnerability – nothing to get too excited about.

Much has been made of the new Internet Explorer bug. Officials in Germany and France made headlines by suggesting that users should avoid using Internet Explorer altogether, in reality switching browsers does not make you any more or less of a target to someone like me.

A patch is coming soon: many users will be automatically updated to fix the vulnerability, and many users will not. There will always be someone installing Windows XP with no service packs or security fixes, jumping straight on the Internet, and getting hacked by this bug. The Russian Business Network will add it to their bag of tricks, hackers will keep it up their sleeves, and grandad’s PC will probably need another spyware sweep. Life goes on.

I used to nerd-laugh at the tribulations of poor IE and Firefox users, constantly barraged with new browser threats to deal with. I was smug because I’ve always used Opera. Lots of hackers use Opera. So many, in fact, that they started to actually take a closer look under the hood. As it turns out, Opera has been riddled with for years, no better or worse than any other browser. I’m just lucky that Opera has such a small market share that none of the crimeware gangs bother writing tools to attack it.

Now I use whatever browser is available. I chop and change all the time. I trust that the auto-updates are working, and occasionally I manually “Check for Updates” just to be safe. I assume that no matter what browser I am using, somebody somewhere has a bug for it… There will always be someone that can hack you.

If I was a bad guy and I discovered this particular bug (known as the IE Aurora exploit), I could sell it, legitimately, to a vulnerability disclosure firm who would reward me for my efforts and co-ordinate with the vendors to issue an advisory. I could probably get about $10k US for such a bug.

Or I could sell it on the black market to Eastern European crime gangs, who would immediately plug it into their network of botnets and compromised web servers. For this I could probably make a little more, maybe $20K US. The crime gangs would turn their $20K outlay into hundreds of thousands in profit, possibly in a matter of days.

Now for a government with cyberwarfare capabilities, 20k for a fully weaponized exploit, for which there is no known defence, is a pittance. It’s unlikely that they would even have to go to market for this bug – they employ teams of hackers in-house to find and develop these attacks.

With this in mind, it’s worth recalling that many experts have been warning in recent months that the Chinese have been massively increasing their cyberwarfare capabilities:

“At a fundamental level, the Chinese view cyberwar as an overt tool of national power in a very different way from the United States,” says James Mulvenon, a Washington-based specialist on the Chinese military. “The U.S. is still uncomfortable exercising that power, but the Chinese — and the Russians — are very comfortable with the deniability and using proxies, even though the actions of those proxies could have enormous strategic consequences.”

Google claimed last week that it would no longer be censoring search results in China, even if that means it has to shut down its operations.

Is this a threat? With the censored Baidu search engine dominating the Chinese market, perhaps the threat of mere withdrawal of Google services is not all that menacing.

Google is really sending a message to the Chinese Government: We have dirt on you… we can make this into a Really Big Deal… so stop with the dirty tricks!