How attack on Google's Gmail skirted US security roadblocks
FBI will investigate Google charges that several hundred Gmail accounts were hacked by perpetrators in China. With the attack, hackers found 'a way around a roadblock,' one expert says.
Theft of e-mail account passwords and volumes of e-mail from hundreds of Gmail accounts was part of a systematic "campaign" by Chinese hackers to target senior US government officials, Chinese political activists, and officials of Asian nations – many from South Korea, including military personnel and journalists, Google officials say.
At least some US State Department employees may have been targeted by the hacking campaign. The effort did not seem geared to stealing credit-card or banking information, but rather appeared to be harvesting e-mail from US and other key officials with knowledge about Chinese affairs, cyber experts say.
The methods used in this latest Gmail hack attack, revealed by Google on Wednesday, resemble those of a 2009 attack that harvested information from 1,295 computers in 103 countries. Nearly a third of those machines were located in "high value" places such as embassies, international organizations, and news media. The common thread: All shared a focus on Chinese affairs concerning Tibet, says Rafal Rohozinski, a principal the SecDev Group, an Ottawa-based cybersecurity consulting firm.
That year, he and colleagues and the University of Toronto exposed a worldwide espionage network they dubbed "Ghostnet."
"The tradecraft this particular attack embodies, trying to harvest credentials from Gmail, is exactly the vector we saw earlier with Ghostnet," says Mr. Rohozinski. "It's part of a big drumbeat that's been consistent for the last few years, with attackers targeting individuals and information in their e-mail that could be very helpful – especially if you are the Chinese government."
Similar penetrations of Canadian government e-mail systems discovered earlier this year caused the shutdown of three departmental networks – including the Canadian treasurer's department, which still does not have connection to the Internet, he notes.
Phishing is a standard technique cybercriminals use, sending perhaps millions of spammed e-mails in the hope that someone will be fooled into clicking on links, opening fake login pages, and typing in the passwords to their bank cards or credit cards.
But in the case of Google's Gmail service, the attackers used a different technique called "spear-phishing" – so called because certain individuals are specifically targeted. The hundreds of targeted individuals received fake e-mails apparently created specifically for them, and the e-mails tapped publicly available data from the Internet about the individuals in order to appear authentic. Such spear-phishing e-mails typically appear to come from a colleague or a boss, says Rohyt Belani, chief executive officer of Phishme Inc., a New York City-based provider of antiphishing software and training.
"Attacking these people through Gmail was a smart move, when you think about corporate and federal e-mail being more locked down now," he says. "This really represents hackers finding a way around a roadblock."
In this case, he notes, money isn't the object. Rather, the spear-phishers are after information that could be of diplomatic or strategic value.
"These were government employees" whose personal Gmail accounts were attacked, he says. "You had people working in the State Department and other critical positions. The targets point back to some very organized, government-backed activity."
Google notified the US State Department of its findings Wednesday before going public with news of the Gmail attack. The Department of Homeland Security is reported to have sought to analyze Google's findings, and the Federal Bureau of Investigation is involved.
"We are obviously very concerned about Google's announcement regarding a campaign that the company believes originated in China to collect the passwords of Google e-mail account holders," Secretary of State Hillary Rodham Clinton said Thursday. "Google informed the State Department of this situation yesterday in advance of its public announcement. These allegations are very serious. We take them seriously, we're looking into them."
In its statement on its official blog, Google said, "the goal of this effort seems to have been to monitor the contents of these users' emails, with the perpetrators apparently using stolen passwords to change people's forwarding and delegation settings."
The company also said it had traced the nefarious activity to a source in Jinan, China. Last year, after a serious attack in which hackers apparently gained access to at least some of Google's key proprietary computer code, Google fingered the Lanxiang Vocational School in Jinan, which conducts computer training for the Chinese military.
"Hacking is an international problem and China is also a victim," Wang Baodong, an embassy spokesman in Washington wrote the Monitor via e-mail in response to questions. "As a responsible player in cyberspace, China strongly supports international cooperation in cracking down on unlawful activities. The claims of so-called Chinese state support for hacking are completely fictitious, and arbitrarily blaming misdeeds on China is irresponsible and unacceptable."
Because the Internet provides anonymity to cybercriminals and cyberspies, it's often impossible to identify the perpetrators. But some US experts say Chinese authorities also permit nongovernment third-party entities, China's "cybermilitia," to conduct cyberespionage on the country's behalf. That gives the government and the military plausible deniability when a cyberintrusion is discovered.
"Because in China these activities can be outsourced to third parties, making the connection between the person who does the technical harvesting and the commissioning agent can be very difficult," says SecDev Group's Rohozinski. "The guys doing this may not even know who they're doing it for."
But plausible deniability goes only so far, others say. At some point, the predominance of attacks flowing out of a country can begin to hurt that country's international standing, they argue.
In a 2009 study examining what nation people most feared would cyberspy on them, the US was No. 1, followed closely by China. But a similar study in April showed "China stood alone – the US was down around third and no one else was even close," says Stewart Baker, the cybersecurity lawyer in Washington who conducted the study.
"The Chinese standard line on this is that they're victims of hacking, too – and they condemn computer crime," he says. "So for the Chinese to continue with their standard response just isn't working anymore. Their reputation is being harmed by these attacks."