The cyber-attack on Google and other U.S. companies was part of a suspected Chinese government operation launched last year that used human intelligence techniques and high-technology to steal corporate secrets, according to U.S. government and private-sector cybersecurity specialists.
More worrying, however, is the likelihood that the cyber-attacks that led Google this week to end its cooperation with Beijing-controlled censorship and move its search engine service to Hong Kong included planting undetectable software on American company networks that could allow further clandestine access or even total control of computers in the future.
An Obama administration official said the U.S. government was able, with some confidence, to link the attack, first discovered last summer, to Chinese government organs. However, the official declined to provide details to avoid making future Chinese cyber-attack identification more difficult.
“The attack was very targeted. It targeted engineers and quality assurance developers, people with very high levels of access into the organization,” said George Kurtz, chief technology officer for computer security firm McAfee who investigated the attack for several of the affected companies.
“The infections were actually very few,” he said. “It wasn’t like a mass infection across a large organization. It was very targeted.”
RELATED STORY: Google deals in doubt amid spat with Beijing
The Google attack was code-named Operation Aurora because one of the hacker files discovered by McAfee contained the name Aurora.
Investigators traced the beginning of the attack to the discovery by the hackers of a previously unknown software flaw in the widely used Web browser Internet Explorer 6.0.
Once the software hole was identified, the attackers spent months gathering information on company executives who had high-level access to company data, such as source code and advanced research and development efforts.
Then using personal data gathered on the company officials from social networking sites such as Facebook, Twitter, LinkedIn and MySpace, the attackers sent e-mails or instant messages containing links to a pirated computer server in Taiwan that appeared to be from someone whom the company official knew and mistakenly trusted.
Once at the Taiwan server, the victimized computer automatically downloaded a software “payload” that covertly installed and created a virtual trap door or Trojan in the computer.
The combination of the Internet Explorer hole and the trap-door software were the keys that allowed the attackers to take over the computer, masquerade as a high-level trusted user and gain access and steal information normally available to only a handful of company specialists.
Another sign leading investigators to conclude that the operation was state-sponsored hacking was the fact that each of the companies was targeted differently, using software developed from the attackers’ knowledge of individual networks and information storage devices, operating systems, the location of targeted data, how it was protected and who had access to it.
Google eventually learned of the attack when a Chinese human rights activist based in New York alerted the company that his e-mail account was being accessed by him in New York and an unknown user who was traced to Taiwan.
Investigators suspect in the case of Google that China was seeking access to the company’s unique search engine and data-mining technology that could be applied to China’s rival government-controlled search engine known as Baidu.
Mr. Kurtz said the “magic” behind the attack is that most computer users thought they were protected by firewalls, but in Aurora “the bad guys don’t actually break through your firewall.”
“Your PC will actually go out and make that connection, and that’s how they control your PC from inside the company,” he said.
Gary Elliott, a Virginia-based information assurance and cyberwarfare specialist, said the techniques and methods used for the cyber-attack convinced him that the most likely source was either China’s intelligence services or its military. He said China was known to have at least 2,000 cyberwarriors working on defensive and offensive operations several years ago.
“The very high level of hacker sophistication in these exploits, along with the 30 or so very well-thought-out and coordinated attacks against American companies, leads me to believe that there are very few places in the world that are capable of performing this type of cyberwarfare,” Mr. Elliott said. “There was a large government military or intelligence agency behind this.”
Mr. Elliott said operations like Aurora take months or even years to plan and require mapping technical infrastructures of the targeted companies, a capability the Russian mafia, which is known to be a formidable nongovernment cyberthreat, could not perform.
A report on Chinese cyber-operations by the congressional U.S.-China Economic and Security Review Commission made public in October said China is using attacks similar to the one carried out against Google.
“China is likely using its maturing computer network exploitation capability to support intelligence collection against the U.S. government and industry by conducting a long-term, sophisticated, computer network exploitation campaign,” the report said.
Cyber-attacks used by the Chinese are “characterized by disciplined, standardized operations, sophisticated techniques, access to high-end software development resources, a deep knowledge of the targeted networks, and an ability to sustain activities inside targeted networks, sometimes over a period of months,” the report said.
Mr. Elliott also said the reported links by Internet Protocol addresses to Shanghai Jiaotong University have raised the question in computer security circles about whether the attack involved the work of a notorious Chinese hacker named Peng Yinan, who operated independently in the early 2000s and then went to work for the Shanghai Public Security Bureau, one unit of China’s internal political police.
“Peng Yinan works for the Shanghai Public Security Bureau and teaches at the Chen Ruiqiu building, located on the Jiaotong University campus,” he said.
Mr. Elliott said Mr. Peng has been linked to Chinese-origin hacker attacks that coincided with the April 2001 incident of a Chinese F-8 fighter colliding with a U.S. EP-3 surveillance aircraft off China’s coast.
Mr. Kurtz said attributing the attacks to China or Chinese-based hackers is difficult outside government circles. But based on the methods used, there is little doubt a major cyberpower was behind it.
“If you look at the countries capable of launching these sort of offensive initiatives, China is certainly one of them,” he said.
The Internet Explorer flaw likely was discovered more than a year ago and was the first step of what began last summer as a series of computer attacks on 20 to 30 high-tech firms.
Mr. Kurtz said the attack was a watershed because it involved an apparent government-sponsored attack on a commercial entity, namely Google, and the company’s decision to risk going public. Past sophisticated attacks were normally carried out by government against other governments or contractors.
Google declined to provide details of the attack. Its chief legal officer, David Drummond, said in a statement in January that the company in December identified a “sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.”
On Monday, Mr. Drummond stated in an update that the attackers broke into e-mail accounts of Chinese human rights activists through “phishing scams or malware.” Phishing is used to obtain access through fraudulent e-mails, and malware is software that is used to gain unauthorized access or control of computers and networks.