Cyber-attack on U.S. firms, Google traced to Chinese

The cyber-attack on Google and other U.S. companies was part of a suspected Chinese government operation launched last year that used human intelligence techniques and high-technology to steal corporate secrets, according to U.S. government and private-sector cybersecurity specialists.

More worrying, however, is the likelihood that the cyber-attacks that led Google this week to end its cooperation with Beijing-controlled censorship and move its search engine service to Hong Kong included planting undetectable software on American company networks that could allow further clandestine access or even total control of computers in the future.

An Obama administration official said the U.S. government was able, with some confidence, to link the attack, first discovered last summer, to Chinese government organs. However, the official declined to provide details to avoid making future Chinese cyber-attack identification more difficult.

“The attack was very targeted. It targeted engineers and quality assurance developers, people with very high levels of access into the organization,” said George Kurtz, chief technology officer for computer security firm McAfee who investigated the attack for several of the affected companies.

“The infections were actually very few,” he said. “It wasn’t like a mass infection across a large organization. It was very targeted.”

RELATED STORY: Google deals in doubt amid spat with Beijing

The Google attack was code-named Operation Aurora because one of the hacker files discovered by McAfee contained the name Aurora.

Investigators traced the beginning of the attack to the discovery by the hackers of a previously unknown software flaw in the widely used Web browser Internet Explorer 6.0.

Once the software hole was identified, the attackers spent months gathering information on company executives who had high-level access to company data, such as source code and advanced research and development efforts.

Then using personal data gathered on the company officials from social networking sites such as Facebook, Twitter, LinkedIn and MySpace, the attackers sent e-mails or instant messages containing links to a pirated computer server in Taiwan that appeared to be from someone whom the company official knew and mistakenly trusted.

Once at the Taiwan server, the victimized computer automatically downloaded a software “payload” that covertly installed and created a virtual trap door or Trojan in the computer.

The combination of the Internet Explorer hole and the trap-door software were the keys that allowed the attackers to take over the computer, masquerade as a high-level trusted user and gain access and steal information normally available to only a handful of company specialists.

Another sign leading investigators to conclude that the operation was state-sponsored hacking was the fact that each of the companies was targeted differently, using software developed from the attackers’ knowledge of individual networks and information storage devices, operating systems, the location of targeted data, how it was protected and who had access to it.

Google eventually learned of the attack when a Chinese human rights activist based in New York alerted the company that his e-mail account was being accessed by him in New York and an unknown user who was traced to Taiwan.

Investigators suspect in the case of Google that China was seeking access to the company’s unique search engine and data-mining technology that could be applied to China’s rival government-controlled search engine known as Baidu.

Story Continues →