The Google attack: Human rights threat or IE browser exploit?
On Tuesday, Google described an alleged series of attacks on its servers and others' as an apparent effort by an unknown China-based source to gain access to private information about human rights activists in that country. No less than Secretary of State Hillary Clinton acknowledged her staff being briefed by Google on the matter -- this after almost five years of apparent silence toward government officials from Google regarding its business arrangement with the government of China.
But in a blog post today which officially dubbed the alleged attack "Operation Aurora," McAfee CTO George Kurtz, in revealing his company worked with Google in investigating the attack, suggested a completely different motive. Specifically, Kurtz alleged that a new and heretofore unseen malware turned up during his investigation, appeared to be designed to search for a specific type of company intellectual property.
"As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals," Kurtz wrote. "We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That's when the exploitation takes place, using the vulnerability in Microsoft's Internet Explorer."
The malware's payload opens a back door, Kurtz went on, enabling the attacker to determine whether the door leads to anyplace important, and then "start to siphon off valuable data from the company." That would fit the profile of an attacker looking to steal business documents, not search for the whereabouts of Chinese human rights activists as Google suggested.
But then Kurtz deepened the mystery even further, stating that although all versions of Windows including Windows 7 are vulnerable to this new exploit (which McAfee states it did report to Microsoft), the malware was crafted specifically for Internet Explorer version 6. Not IE7, not IE8, but IE6.
One may reasonably ask, just who at Google -- the maker of Chrome, its own Web browser -- would be a potential target who also would happen to be running IE6 on Windows 7 -- a system which, by default, installs IE8? And just what intellectual property would the attacker be searching for that would fulfill the goal McAfee's Kurtz outlined of stealing valuable company IP, that would also be capable of ferreting out human rights workers' addresses?
"All I can say is wow. The world has changed," Kurtz closed his post. "Everyone's threat model now needs to be adapted to the new reality of these advanced persistent threats."
9:45 pm EST January 14, 2010 · In its security bulletin issued late today on the vulnerability, Microsoft stated that although all versions of Internet Explorer since 6.0 on all versions of the operating system since Windows 2000 SP4 are affected, it was made aware of specific, limited threats involving the malware and IE6, not later versions.
The profile Microsoft used to explain the vulnerability was that of a malicious Web site producing an advertisement bearing a link to a fake Web page that could instead carry a malicious payload -- a very common malicious ploy used worldwide. Microsoft did not mention China anywhere in its bulletin.
In its Tuesday blog post, Google did acknowledge the theft of intellectual property from its targeted systems, though it did not state which category. The alleged incident was reported on the same day that the Chinese government announced it was shutting down what it called illegal Web sites and even deleting content from those sites, describing that content as pornographic. China did not disclose any of the servers affected, though it did say that some 90% of them could be located in the US.