Google: We're ready for a dialogue with China
"This whole thing has strange written all over it..."
Google's spokesperson declined comment to Betanews about what it is that specifically identifies the attack against its servers as Chinese, though the company maintains that irrefutable evidence does exist. It may have shared that evidence with the US State Dept. earlier this month.
Given the fact that the attack on Google's servers may look on the surface like an ordinary Trojan that sets up a back-door communication with a China-based IP address, doesn't it remain possible that Google's attacker used that China address as a proxy, perhaps outside its own native borders?
"Sure," responded Praetorian Group's Daniel Kennedy to Betanews, "proxy in the sense that someone could be controlling a machine from a different location. No one has been too forthcoming in making the complete case that this was actually an attack sponsored in some way by the Chinese government. It's just been strongly suggested based on attack characteristics, what it appears the attackers were after, and some other information regarding this Taiwan server that hasn't been disclosed."
Last week, researchers at VeriSign's iDefense Labs made the claim that the Google attack bore some kind of Chinese fingerprint. But earlier that week, those same researchers confused the attack with an attack on Adobe Reader and Acrobat, not Microsoft IE6. Later, Adobe announced PDFs were not involved in the Google attack, and iDefense has subsequently stepped back from the spotlight, perhaps in shame.
As SecureWorks' Stewart discovered last week, the attack against Google was actually a recently identified Trojan catalogued as Trojan.Hydraq, as opposed to a heretofore unseen malware dubbed "Aurora" by McAfee CTO George Kurtz, who assisted Google in its initial investigation. Symantec first noted Hydraq's existence in the wild as early as January 9. Google's spokesperson confirmed to Betanews today that Hydraq was indeed the tool used to establish the back-door communications link with its servers.
Researchers at antivirus software maker Sophos Labs have also been dissecting Hydraq, and pondering why the current version of it had been escaping detection until recently. Its payload is indeed sophisticated, containing an effective, encrypted communications language for remote exploits, as SecureWorks' Stewart discovered.
But on the surface -- not taking its well-designed engine into account -- it's an ordinary piece of malware using a typical shellcode injection technique, as Sophos researcher Chet Wisniewski told Betanews. In a phone conversation taking place literally from the freeway yesterday, Wisniewski told us that the package itself resembled something Sophos might have categorized as Troj.Spy-EY -- the type of Trojan that Sophos has been detecting for years already, changed just enough to alter its signature.
"This whole thing has strange all over it," commented Wisniewski in response to our question about how this or any other piece of malware could possibly "look" Chinese. "Google's very sketchy about why they point the finger at China," he noted, adding that as malware toolkits go, the one containing Hydraq is actually quite common. In fact, there's no reason to believe that any number of other variants of Hydraq are detected and eradicated on Google's systems on a daily basis, without any suspicion whatsoever that any one of them may be Chinese.
Could this have been an inside job?
It's here where Wisniewski points to the possibility of factors outside the malware profile and attack surface, as perhaps lending evidence to Google's claims -- evidence which may yet be publicly revealed. Last Thursday, Bloomberg reported that Google gave many of its China employees a previously unscheduled holiday while it checked their systems over "to ensure the network is safe and secure," as Google stated at the time. That report led to speculation that the company may not only be investigating its systems, but also the employees who use them.
Today, Google's spokesperson denied to Betanews that its employees were under suspicion, or that the company had any reason to assume that someone in its employ had leaked the information about IE6 being used on its premises.
The company's explanation to us about this point was, in one sense, evolutionary -- in that it evolved in front of us. The spokesperson began by saying that Google's engineers use various browser versions in testing whether its services work, and that it's no surprise to anyone in the company to be finding IE6 in regular use there. But that answer would suggest that Google's service testers were the targets of the attack -- a suggestion which Google is in no position now to confirm.
As we've learned over the years in our general coverage of Google product development, we pointed out to the spokesperson, the company tends to use virtual environments for its testing, which are safer, easier to manage, and are not public-facing. The spokesperson acknowledged this as accurate. Virtual networks not facing the Internet deploying IE6 as their test platform, would be by design less likely to be targets of the attack. Information gleaned from what the spokesperson told us indicates that the attacks were on physical systems running IE6, not virtual systems used for testing.
In our earlier discussion with Sophos' Chet Wisniewski, he gave guarded credence to a theory about why Google may have been using IE6. In working with multiple clients, Wisniewski said, Sophos turned up organizations that would like to migrate from IE6, but cannot due to constraints imposed by the other software they're forced to run: for example, payroll applications whose security models are incompatible with IE7 or IE8. Another possible reason which cannot be discounted is that companies and organizations doing business with Chinese interests may also have to use at least some systems that meet China government specifications -- specs that evolve at the speed of government itself.
Thus, the theory goes, certain of Google's applications -- even those being run on US-based servers -- may have had no alternative but to run IE6.
The knowledge of just which server assets run IE6 and why, Sophos' Wisniewski told Betanews, could possibly be the critical asset that not only made the attack on Google's servers possible, but that may also give Google reason to suspect China-based interests as the culprit. These assets would have been the virtual locations for Google's back door. Theoretically, if Google had to deploy these assets in order to use specified software necessary to conduct business with China, someone with knowledge of those locations would also have known where to deploy a Trojan that bypasses Microsoft's more recent -- and more effective -- security measures, such as Data Execution Prevention.
Google's spokesperson refrained from providing further specifics as to which of its systems use IE6 and why. However, the company was willing to acknowledge the need for compatibility with third-party services and software, as well as the potential existence of software specifications mandated by partners -- perhaps including the Chinese government -- as among the valid conditions Google employees may have faced that forced them to use IE6, even when Google itself manufactures a different Web browser.
The spokesperson did tell Betanews that Google had already been, and continues to be, following a migration program to take the suspected systems off of IE6. However, the reasons we listed may continue to pose obstacles and could even prevent a full migration in the end, the spokesperson acknowledged.
The alternative theory for the attack is that a more novice "hacktivist" may have acquired the Hydraq payload from the malware market, wrapped it in an old-style IE6 Trojan wrapper that was lying around the office, deployed it "buckshot" style, and just happened to be successful against Google and maybe a few dozen more targets. But Praetorian's Daniel Kennedy believes otherwise:
"The characteristics of the attack do not suggest that the bad actors in this case were novices," Kennedy told Betanews. "They seemed to be aware that IE 6.0 was available to be exploited, induced employees to visit a Web site with the malicious payload, and gained access to the Google, et al, internal networks... Discovering or procuring a zero-day vulnerability, using it in a targeted way, being successful, and getting away with what you were after from some 30 companies, is a sophisticated attack."
What don't we know, and why don't we know it?
Taking apart the language from Google's announcement on the 12th, the company only said it detected the Hydraq attack on its servers last December. But how long ago did this attack actually start? Google's spokesperson would not deny the possibility that attacks may have occurred earlier than the time it indicated, but we were told no such information presently exists to point to that possibility. However, that possibility is being investigated, the spokesperson said.
If the Hydraq attack is indeed as sophisticated as Kennedy, Stewart, and others are indicating, then this raises further, very important, questions, which Google indicated it's not in a position to answer today: How much more intellectual property could have been compromised than is currently known? How long has publicly identifiable information revealing not just the whereabouts of Chinese dissidents, but also US citizens, been exposed by way of this arguably mediocre exploit package?
And if Google was vulnerable for the entire time it has operated Google.cn for the Chinese market -- a vulnerability that did not require the existence of Hydraq to make obvious -- why would it have opted to maintain its veil of silence rather than leverage US government help in securing its systems, and conceivably those of other companies in turn?
The feeling that a kind of cyber-cold-war may be heating up, was only exacerbated today by the publication this morning of an op-ed piece in China's People's Daily Online, which ostensibly was about the proliferation of humorous videos over the Web. Instead, it contained what appeared to be not-so-hidden messages for Google and the US government, in a style that echoed an earlier era in US/China relations.
"Now, like a woman I once loved, Google's threatening to leave me, saying I did her wrong," the strange op-ed reads. "I don't understand the reasons she's given, perhaps they're just excuses and there's someone else? But considering my hurt feelings, I expect her to follow through on her rediscovered sense of independence. For instance, if the Cyber Security R & D Center at the Department of Homeland Security is caught accessing e-mails in the United States, I expect her to threaten service interruptus there, too."
At least in some parts of the world, it's 1968 all over again.