This afternoon, just hours following Microsoft’s stunningly fast response to a critical Internet Explorer vulnerability made stunningly public by Google last week, a Google spokesperson told Betanews today that it expects to engage in a dialogue with the government of China within the next few weeks. The subject will be the status of its business relationship with that country, following Google’s allegations that a recent attack on its servers originated in China.
Whether Google will take the next step — specifically, discussing the substance of these talks with the US government — is something the company may not yet have considered, judging from the response to our question from Google’s spokesperson today.
Google’s relative silence about its business dealings with China dates back to early 2007, when it joined Microsoft, Cisco, and Yahoo in declining to appear before the US Congressional Human Rights Caucus, citing its right to privacy regarding business affairs. In order to confer with the US State Dept. earlier this month about the recent attacks, Google had to break that silence.
Talks with China — assuming they occur as Google believes they will — may not be all one-sided, with Google talking and China listening. This morning, in a move that some analysts speculated may be retaliation for Google’s threatened pullout, leading Chinese search engine Baidu stated this morning it has sued New York-based Web registrar Register.com, claiming it is responsible for its domain having been hijacked for a brief time last week.
As Baidu told Reuters this morning, “As a result of the gross negligence of Register.com Inc., the domain name resolution of www.baidu.com was unlawfully and maliciously altered.” Register.com was apparently sued in US District Court for the district where the company is based (New York City). The text of Baidu’s lawsuit had yet to be posted by that Court as of late Wednesday afternoon, Eastern Time. Register.com has yet to make a public statement in response.
But Baidu’s allegations could make those talks into something of an arms race, complete with unsubstantiated allegations and mutually-assured destruction. Using the same degree of logic that Google used in claiming China attacked it, the government there could argue, China could claim the US was behind the rerouting of Baidu.
The Baidu attack, which may or may not be Iranian
On January 11, the day before Google made its stunning announcement to the world, access to Baidu was temporarily rerouted to a site featuring graphics claiming to have originated from the “Iranian Cyber Army.” Those graphics had also been used in an attack the previous month against Twitter. Knowledgeable sources have expressed skepticism that this group necessarily originates in Iran, that it has anything whatsoever to do with Iranian politics, or that it even may be a “group” at all.
The profile of the Baidu attack does not resemble that of the Google attack. In effect, Register.com appears to have been the direct target of a DNS rerouting. According to security services firm Praetorian Group, which monitored the attack at the time, for at least three hours, calls to Baidu’s IP address were rerouted to a site hosted by Houston-based ISP ThePlanet.com. Praetorian traced the domain names of the e-mail contacts listed on the hacked page not to Iran, but to two leading North American ISPs: Netfirms in Markham, Ontario; and Yahoo in Sunnyvale, California.
Praetorian’s analysts, who specialize in incident response for global-scale threats, are not convinced the Baidu attack had clear political motives. At the time of that event, they noted that China is not the key impediment to Iran’s recent gambles towards acquiring functional nuclear weapons.
“Businesses in China have served as intermediaries for products imported from Iran that are then shipped to US firms, in violation of US economic sanctions against Iran,” the company wrote last week. “For these reasons, it is unclear how attacking a Chinese search engine fits into the strategy of this hacktivist pro-Iranian government group. It may have just been that baidu.com was an opportunity to spread their message on a high profile Web site.”
The Google attack, which may or may not be Chinese
By contrast, Google continues to claim its attacks originated in China, through a server that successfully used an undisclosed social trick to implant a Trojan program onto computers — which some say may have included US-based command and control systems — running Microsoft Internet Explorer 6.
Since the day of Google’s announcement, there has been a significant degree of mystery about two intriguing aspects of the Google attack’s profile: 1) why the attacker specifically chose IE6 as the “attack surface,” rather than a newer browser such as IE8; 2) why Google concluded the attacks on its systems were of Chinese origin. Given only the current evidence in front of us, it would appear to be feasible that China-based IP addresses, and perhaps other resources, may have been commandeered by proxy by “hacktivists” originating in any other country.
A Google spokesperson told Betanews this afternoon that the company is not aware of any specific evidence that would explain why IE6 was chosen as the attack vector. Google is aware of the evidence that suggests that IE6 was chosen intentionally, not by accident on the part of some amateur hacker. However, the spokesperson said, Google is also aware of evidence that it says cannot be inferred from the information presently made public, that unequivocally points to China as the geographic source of the attacks against its servers.
What Google will not address at this point in time, however, is the question of what makes this attack specifically Chinese, as opposed to merely China-based.
The official entry of Baidu into the fracas has triggered discussion, including last night on BBC World Service radio, about the possibility that Baidu’s travails and Google’s may be interrelated. The BBC’s discussion with analysts centered upon two possibilities:
- Just as Google perceives itself as a victim of Chinese attack, Baidu perceives itself as a victim of either US attack or US negligence, with both suspicions providing motivation for one another.
- Despite the differences in the threat pattern, both attacks may theoretically originate from the same source, with the purpose of agitating US/China relations or simply to make news headlines.
With those possibilities on the table, Betanews asked researchers at Praetorian yesterday, how could Google have come to the conclusion so quickly that China or Chinese interests were to blame for its attacks?
“Neither Google, nor the security companies working with them, have stated how they determined this,” responded Daniel Kennedy, who leads the risk assessment and global policy management initiatives for the security partnership. “They identified an IP address in Taiwan, but have not disclosed how they further linked that back to China. That tracing was likely done by identifying the target address of the SSL connections being made out of their environment back to this server.”
“No one has been too forthcoming in making the complete case that this was actually an attack sponsored in some way by the Chinese government.”
Daniel Kennedy, security response engineer, Praetorian Group
Kennedy went on to point out the work of SecureWorks researcher Joe Stewart, whose work two years ago on diagnosing the “Pushdo” Trojan architecture brought him well-deserved acclaim. In a New York Times story published yesterday, Stewart told reporter John Markoff that in diagnosing the IE6 exploit, which was recently made public, he recalled having seen its curious encryption algorithm once before: specifically, in a Chinese-language technical paper published on a Chinese Web site. While Markoff noted that this discovery in itself does not pin the Google attack on China specifically, Stewart invoked Occam’s Razor in suggesting that this made China the simplest, and thus most likely, suspect.
Betanews has sought further comment from Stewart on the subject, which may be forthcoming. In the meantime, Praetorian’s Kennedy admits that Stewart’s discovery remains “somewhat circumstantial.”
“Assuming all connections go through some perimeter device, [a server admin] would see the target of the outgoing SSL connection Google identified as the communication channel in their environment,” Kennedy told Betanews. “The attack itself initially would look like normal user browsing…Discovering the back door communicating out of their environment was likely how Google figured out what was going on.”
Next: “This whole thing has strange written all over it…”
“This whole thing has strange written all over it…”
Google’s spokesperson declined comment to Betanews about what it is that specifically identifies the attack against its servers as Chinese, though the company maintains that irrefutable evidence does exist. It may have shared that evidence with the US State Dept. earlier this month.
Given the fact that the attack on Google’s servers may look on the surface like an ordinary Trojan that sets up a back-door communication with a China-based IP address, doesn’t it remain possible that Google’s attacker used that China address as a proxy, perhaps outside its own native borders?
“Sure,” responded Praetorian Group’s Daniel Kennedy to Betanews, “proxy in the sense that someone could be controlling a machine from a different location. No one has been too forthcoming in making the complete case that this was actually an attack sponsored in some way by the Chinese government. It’s just been strongly suggested based on attack characteristics, what it appears the attackers were after, and some other information regarding this Taiwan server that hasn’t been disclosed.”
Last week, researchers at VeriSign’s iDefense Labs made the claim that the Google attack bore some kind of Chinese fingerprint. But earlier that week, those same researchers confused the attack with an attack on Adobe Reader and Acrobat, not Microsoft IE6. Later, Adobe announced PDFs were not involved in the Google attack, and iDefense has subsequently stepped back from the spotlight, perhaps in shame.
As SecureWorks’ Stewart discovered last week, the attack against Google was actually a recently identified Trojan catalogued as Trojan.Hydraq, as opposed to a heretofore unseen malware dubbed “Aurora” by McAfee CTO George Kurtz, who assisted Google in its initial investigation. Symantec first noted Hydraq’s existence in the wild as early as January 9. Google’s spokesperson confirmed to Betanews today that Hydraq was indeed the tool used to establish the back-door communications link with its servers.
Researchers at antivirus software maker Sophos Labs have also been dissecting Hydraq, and pondering why the current version of it had been escaping detection until recently. Its payload is indeed sophisticated, containing an effective, encrypted communications language for remote exploits, as SecureWorks’ Stewart discovered.
But on the surface — not taking its well-designed engine into account — it’s an ordinary piece of malware using a typical shellcode injection technique, as Sophos researcher Chet Wisniewski told Betanews. In a phone conversation taking place literally from the freeway yesterday, Wisniewski told us that the package itself resembled something Sophos might have categorized as Troj.Spy-EY — the type of Trojan that Sophos has been detecting for years already, changed just enough to alter its signature.
“This whole thing has strange all over it,” commented Wisniewski in response to our question about how this or any other piece of malware could possibly “look” Chinese. “Google’s very sketchy about why they point the finger at China,” he noted, adding that as malware toolkits go, the one containing Hydraq is actually quite common. In fact, there’s no reason to believe that any number of other variants of Hydraq are detected and eradicated on Google’s systems on a daily basis, without any suspicion whatsoever that any one of them may be Chinese.
Could this have been an inside job?
It’s here where Wisniewski points to the possibility of factors outside the malware profile and attack surface, as perhaps lending evidence to Google’s claims — evidence which may yet be publicly revealed. Last Thursday, Bloomberg reported that Google gave many of its China employees a previously unscheduled holiday while it checked their systems over “to ensure the network is safe and secure,” as Google stated at the time. That report led to speculation that the company may not only be investigating its systems, but also the employees who use them.
Today, Google’s spokesperson denied to Betanews that its employees were under suspicion, or that the company had any reason to assume that someone in its employ had leaked the information about IE6 being used on its premises.
The company’s explanation to us about this point was, in one sense, evolutionary — in that it evolved in front of us. The spokesperson began by saying that Google’s engineers use various browser versions in testing whether its services work, and that it’s no surprise to anyone in the company to be finding IE6 in regular use there. But that answer would suggest that Google’s service testers were the targets of the attack — a suggestion which Google is in no position now to confirm.
As we’ve learned over the years in our general coverage of Google product development, we pointed out to the spokesperson, the company tends to use virtual environments for its testing, which are safer, easier to manage, and are not public-facing. The spokesperson acknowledged this as accurate. Virtual networks not facing the Internet deploying IE6 as their test platform, would be by design less likely to be targets of the attack. Information gleaned from what the spokesperson told us indicates that the attacks were on physical systems running IE6, not virtual systems used for testing.
In our earlier discussion with Sophos’ Chet Wisniewski, he gave guarded credence to a theory about why Google may have been using IE6. In working with multiple clients, Wisniewski said, Sophos turned up organizations that would like to migrate from IE6, but cannot due to constraints imposed by the other software they’re forced to run: for example, payroll applications whose security models are incompatible with IE7 or IE8. Another possible reason which cannot be discounted is that companies and organizations doing business with Chinese interests may also have to use at least some systems that meet China government specifications — specs that evolve at the speed of government itself.
Thus, the theory goes, certain of Google’s applications — even those being run on US-based servers — may have had no alternative but to run IE6.
The knowledge of just which server assets run IE6 and why, Sophos’ Wisniewski told Betanews, could possibly be the critical asset that not only made the attack on Google’s servers possible, but that may also give Google reason to suspect China-based interests as the culprit. These assets would have been the virtual locations for Google’s back door. Theoretically, if Google had to deploy these assets in order to use specified software necessary to conduct business with China, someone with knowledge of those locations would also have known where to deploy a Trojan that bypasses Microsoft’s more recent — and more effective — security measures, such as Data Execution Prevention.
Google’s spokesperson refrained from providing further specifics as to which of its systems use IE6 and why. However, the company was willing to acknowledge the need for compatibility with third-party services and software, as well as the potential existence of software specifications mandated by partners — perhaps including the Chinese government — as among the valid conditions Google employees may have faced that forced them to use IE6, even when Google itself manufactures a different Web browser.
The spokesperson did tell Betanews that Google had already been, and continues to be, following a migration program to take the suspected systems off of IE6. However, the reasons we listed may continue to pose obstacles and could even prevent a full migration in the end, the spokesperson acknowledged.
The alternative theory for the attack is that a more novice “hacktivist” may have acquired the Hydraq payload from the malware market, wrapped it in an old-style IE6 Trojan wrapper that was lying around the office, deployed it “buckshot” style, and just happened to be successful against Google and maybe a few dozen more targets. But Praetorian’s Daniel Kennedy believes otherwise:
“The characteristics of the attack do not suggest that the bad actors in this case were novices,” Kennedy told Betanews. “They seemed to be aware that IE 6.0 was available to be exploited, induced employees to visit a Web site with the malicious payload, and gained access to the Google, et al, internal networks… Discovering or procuring a zero-day vulnerability, using it in a targeted way, being successful, and getting away with what you were after from some 30 companies, is a sophisticated attack.”
What don’t we know, and why don’t we know it?
Taking apart the language from Google’s announcement on the 12th, the company only said it detected the Hydraq attack on its servers last December. But how long ago did this attack actually start? Google’s spokesperson would not deny the possibility that attacks may have occurred earlier than the time it indicated, but we were told no such information presently exists to point to that possibility. However, that possibility is being investigated, the spokesperson said.
If the Hydraq attack is indeed as sophisticated as Kennedy, Stewart, and others are indicating, then this raises further, very important, questions, which Google indicated it’s not in a position to answer today: How much more intellectual property could have been compromised than is currently known? How long has publicly identifiable information revealing not just the whereabouts of Chinese dissidents, but also US citizens, been exposed by way of this arguably mediocre exploit package?
And if Google was vulnerable for the entire time it has operated Google.cn for the Chinese market — a vulnerability that did not require the existence of Hydraq to make obvious — why would it have opted to maintain its veil of silence rather than leverage US government help in securing its systems, and conceivably those of other companies in turn?
The feeling that a kind of cyber-cold-war may be heating up, was only exacerbated today by the publication this morning of an op-ed piece in China’s People’s Daily Online, which ostensibly was about the proliferation of humorous videos over the Web. Instead, it contained what appeared to be not-so-hidden messages for Google and the US government, in a style that echoed an earlier era in US/China relations.
“Now, like a woman I once loved, Google’s threatening to leave me, saying I did her wrong,” the strange op-ed reads. “I don’t understand the reasons she’s given, perhaps they’re just excuses and there’s someone else? But considering my hurt feelings, I expect her to follow through on her rediscovered sense of independence. For instance, if the Cyber Security R & D Center at the Department of Homeland Security is caught accessing e-mails in the United States, I expect her to threaten service interruptus there, too.”
At least in some parts of the world, it’s 1968 all over again.