A new report says the attack on the search giant's network was far less sophisticated than it has claimed.
When Google declared in January that it had been the subject of a "highly sophisticated and targeted attack" on its network, cybersecurity researchers were quick to connect the incident to a wave of stealthy and innovative cyberspies striking companies around the world. But follow Google's hackers down their rabbit hole, as one group of cybersecurity researchers says it has done, and a portrait of those digital intruders emerges that conflicts with their "superhacker" image.
According to a report that researchers at the cybersecurity firm Damballa plan to release Tuesday, the China-based "Aurora" hackers who targeted Google ( GOOG - news - people ) were both more varied in their tactics and far less advanced than early analyses depicted. The Atlanta-based firm links the attacks to a group of "botnets"--collections of computers compromised with hidden software--that used techniques it described as "old school" and "amateur."
"A great play is being made about how sophisticated these attacks were," says Damballa's vice president of research Gunter Ollman. "But tracing back the attacks shows that they were not sophisticated, and that the attackers behind them have a history of running multiple botnets with a variety of tools and techniques," many of which, he says, were far more rudimentary than Google or the cybersecurity industry has portrayed.
Damballa says it traced the Aurora botnet to command and control computers in 22 countries, including China, the United States, the United Kingdom, Germany and Taiwan. By analyzing the structure and activities of the botnet based on information pulled from those command servers, it found that the botnet used a technique known as "dynamic domain name system command and control," an older, more easily detected method of communication among hijacked computers that it says is rarely used by professional botnet operators today.
Ollman adds that the malicious software that infected Google's network, a Trojan known as Hydraq, contained code that was at least five years old and lacked the "armor" that typically obfuscates malicious software's purpose and prevents it from being removed.
Those claims are already raising controversy in the cybersecurity community, which has taken the Google China hackings as a rallying cry against a new wave of skilled cyberspies that it has labeled the "the advanced persistent threat." Beyond the Google incident, cyberspies have recently gained access to major oil companies, according to a report in the Christian Science Monitor. And they've also hacked more than 100 agencies, schools, think-tanks and contractors, including Northrup Grumman and General Dynamics ( GD - news - people ), which do business with the Pentagon (See story, "Dozens of Defense Contractors, Agencies Hacked.")
The cybersecurity firm McAfee ( MFE - news - people ), for instance, which performed an initial analysis of the Google hack, wrote in an email to Forbes that it stands by its initial conclusion that Operation Aurora was "one of the most impactful and sophisticated cyberattacks in history." McAfee adds that "the goal of the attackers was not to create a botnet but to compromise key systems of interest to gain access to valuable resources."
Damballa's report also threatens to undercut Google, given the search giant's claims about the hackers' high level of skill. The company's threat to stop censoring its Chinese search engine and even close its Beijing office in response to the incident also imply that the attacks were state-sponsored, but Damballa's researchers say this is unlikely based on the skill level of the intruders.
Responding to the report, Google spokesperson Jay Nancarrow told Forbes he wouldn't comment on Google's ongoing investigation of the attacks, but that the company stands by its original statement. He added that Damballa has "no firsthand knowledge of the investigation."
No comments:
Post a Comment