More on Google and the cyberattacks


The Financial Times has an update on the cyberattacks that targeted Google last week and caused Google to threaten to pull out of China.


Hackers target friends of Google workers
By Joseph Menn in San Francisco

Published: January 25 2010 23:47 | Last updated: January 25 2010 23:47

Personal friends of employees at Google, Adobe and other companies were targeted by hackers in a string of recently disclosed cyberattacks, raising privacy concerns and pointing to a highly sophisticated operation, security experts said.

Cybersecurity experts analysing the attacks said the hackers spied on individuals and used other sophisticated techniques, making them extremely difficult to stop. The disclosures come amid renewed alarm over cybersecurity after Google said it had been the target of a series of cyberattacks from China.

The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.

“We’re seeing a lot more up-front reconnaissance, understanding who the players are at the company and how to reach them,” said George Kurtz, chief technology officer at security firm McAfee.

“Someone went to the trouble to backtrack: ‘Let me look at their friends, who I can target as a secondary person’.”

McAfee discovered that a previously unknown flaw in Microsoft’s Internet Explorer had been used in the attacks. Mr Kurtz said the attackers also used one of the most popular instant messaging programmes to induce victims to click on a link that installed spy software.

Another element of the attack code used a formula only published on Chinese language websites, said Joe Stewart, a researcher for security firm SecureWorks. Mr Stewart also found that some of the code had been assembled in 2006, suggesting that the campaign had been not only well organised but enduring.

The evidence pointed to a government-sponsored effort that only large spy agencies or perhaps some of the most advanced big companies could have withstood, experts said. China on Monday described accusations it was behind cyberattacks as “groundless”.

Sam Curry, vice-president of security firm RSA, said: “This is a loud message for the commercial world, which is: wake up, this isn’t all happiness and goodness and new business.

“Doing business on the internet is as risky as sending ships through the Panama Canal.”


Okay, now I am confused.  Is this a cyberattack on Google, or what?  The way I read the article, the attackers figured out who the higher-ups were in the company (which means I am safe) and then figured out who their friends and social networks are.  How they obtained this, I don’t know.  But get this – the hackers then compromised these social network accounts, hoping that they would click the links.  Does this mean that the hackers went to all of this trouble to create a targeted spam campaign?  That doesn’t read like a cyberattack at all in which information is stolen or services are DOS’ed, it sounds like a spam run.  But why would a spammer target a few employees at Google?  Spam depends on sending out its garbage to tens, or even hundreds, of thousands of users.  At the most, these hackers would get perhaps a few thousand people from a few higher-up Google employees.

That the source code only existed on Chinese sites is certainly suggestive of a Chinese cyberattack but not conclusive of state involvement.  Of course, the accusations are hardly groundless.

Comments (2)
  1. Err says:

    The point of getting them to click on the link was to exploit IE into installing malware. Which they apparently used to steal information.

  2. Chas says:

    The “Chinese code” fingered by Joe Stewart appears to be a 4-bt (nibble) CRC algorithm that’s been around for years in the embedded world:

    http://www.theregister.co.uk/2010/01/26/aurora_attack_origins/

Comments are closed.

Skip to main content