Targeted attacks work against Google.
Wednesday, 13 January 2010 18:47

Yesterday’s revelation by Google that they had been hacked by China is an important event in two dimensions.

First the moral dimension. When you play nice with totalitarian states you are going to get burned.  Google has long maintained that by providing their search, hosted blogging, and email services to the people of China they were supporting access to information and community that would be a long term benefit .  A benefit that outweighed the evil of blocking or redirecting searches on “Tibet” and “Falun Gong” and “democracy” at the behest of the Chinese Communist rulers.  Well that is wrong.  Can you imagine Google blocking search terms on making bombs or jihadist recruiting sites in the US?  Well why not?  It is pretty transparent that Google has been motivated by the potential for business in a country that has the largest population of Internet users.   Google should pull out of China until they are allowed to operate there with no government interference.

Now the attack dimension.  According to Google’s official statements the attacks against them followed a very familiar MO, one that is indeed associated with other attacks from China that were probably used to compromise email servers at Whitehall in the UK, the Chancellery in Germany, and the US Pentagon.  Custom Trojans are attached to emails and sent to particular email addresses within the target.  This is the exact technique used by China to compromise the Office of the Dalai Lama as uncovered by SecDev and published in the ground breaking GhostNet report by InfoWarMonitor.

While vulnerabilities in Adobe’s PDF reader may be associated with the attack it is important to note that a zero-day vulnerability is not needed to get a custom Trojan installed; any old un-patched vulnerability will do.   The “customization” is there to avoid detection by AV products.
As Google discovered they have been caught up in a massive espionage effort that goes well beyond their operations.  Every enterprise should learn from this incident.  If Google can succumb to this simple method of attack what can your organization do to protect its information and IT assets? Read this blog and I will tell you as I research my next book: Cyber Defense: Countering Targeted Attacks.

Add New Search
Russell Thomas   | |2010-01-13 16:26:16
Excellent post. This whole incident (or collection, if you count all 33
breached companies) is a big wake-up call for InfoSec specialists and
managers -- You have to be fully engaged in business strategy, alliance, outsourcing,
and other corporate decisions.
You can't just wait for those decisions to be made and then try to
implement controls to limit the risks.

I like your book project.
Reminds me of Brian Snow's 2005 paper: "We
Need Assurance!" ,
where he effectively described the difference between defending
against an opportunistic attacker and a determined targeted

One suggestion -- please include methods for organizations to
assess the likelihood that they are, in fact, the subject of a
targeted attacker (based on evidence), and also to assess the relative
Debbie Mahler  - I think there's more to it...   | |2010-01-14 11:41:34
On our BlogTalk Radio show (, Bill Mitchell and I discussed this situation.

Bill brought up
the point - and I agree - that there maybe more to this than
what meets the eye.

Google stands to lose a lot more of their
Intellectual Property if the hacks continue and their code is accessed.
Since the Asian countries don't have the kind of IP laws we have in
the U.S. Google risks having it's own code used against it. An unscrupulous
company could hack through China, gain access to the Google code, and
then develop a competitor to Google in the Asian countries without legal
recourse. Something to think about!

Debbie Mahler
Technical Tidbits
BlogTalk Radio
[b] [i] [u] [url] [quote] [code] [img] 
Please input the anti-spam code that you can read in the image.

3.26 Copyright (C) 2008 / Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."