New Details On Targeted Attacks On Google, Others, Trickle Out

New details about the targeted attacks against Google and other U.S. companies that resulted in the theft of source code and other intellectual property emerged today, while Microsoft released an emergency patch for a flaw in Internet Explorer that was exploited in those attacks.

Chenxi Wang, principal analyst for security and risk management at Forrester Research, says Google last week instituted an emergency update to its corporate VPN, raising questions about whether the network was in some way compromised in the attacks. But, she says, Google disputed her initial analysis that the attackers gained access to Google's server via its corporate VPN.

"This is the first we've heard about the VPN involvement at Google. I'm not sure this definitely qualifies as a VPN breach because we don't know what the attacker did to the VPN system -- it's possible that the attacker used the user credentials to log in through the VPN without doing anything illegal to the VPN. Or it is possible that the attacker did attack the VPN system. But Google won't say one way or another," Wang says.

A Google spokesperson declined to comment on Wang's findings.

What has been made public about the attack on Google and others is that the attackers employed social engineering via phishing emails with infected links to lure their victims. The links contained an exploit attacking Internet Explorer 6 that dropped a Trojan onto the victim's machine and then allowed the attacker to take control of the victim's machine. The exploit abuses a zero-day vulnerability that is found in all versions of Internet Explorer, but so far has mostly been going after IE 6 machines in the wild now that the exploit code was released publicly.

A malware researcher, meanwhile, has traced the code used in the exploit to Chinese-language authors. While reverse-engineering a sample of the malware used in the attacks, Joe Stewart, director of malware research at Secureworks, discovered some modules in the code have timestamps dating back to May 2006, so the so-called Aurora malware -- a.k.a. the Hydraq Trojan -- was in the works for some time, he says. He says he also found evidence that the code has Chinese origins: It uses a unique implementation of the cyclic redundancy check (CRC) algorithm that is associated with Chinese-language Websites.

Most of the details that have emerged about how the attackers gained access to Google's network and intellectual property have focused mainly on the IE exploit, but security experts say several other exploits were involved in the widespread targeted attacks.

Forrester's Wang, meanwhile, says she believes the "emergency update" to Google's VPN infrastructure was somehow a result of the attack. Wang first raised the possibility that Google's VPN was used to access its server in the attack in a blog post today -- which she has since updated twice after Google first confirmed and then disputed it.

Whether the VPN update was a precautionary measure by Google or purely coincidental is unclear as well.

Still baffling to experts is why a Google user or users would be running the older and less secure version 6 of Microsoft's browser. Security experts have suggested that either some nontechnical Google employees just hadn't bothered to upgrade their browsers, or that the attack could have targeted a Google employee working from his home machine running IE 6.

Wang says Google told her it was possible someone was running IE 6 internally for "testing purposes." That didn't add up for Wang, however: "I can buy that you might be running an older version of a browser for testing purposes (for backward compatibility), but why wasn't the testing environment isolated from production and from access to critical assets? Isn't that one of the first things you do in setting up a test environment?" she wrote in her blog post.

Whatever the reason for the old IE 6 browser, Wang says Google's breach should serve as a cautionary tale for other enterprises. "IT should make sure everyone is running the latest browsers with the latest patches and latest OS -- everything -- and [a] test environment should be entirely separate from the production environment," she says.

Al Huger, vice president of engineering at Immunet, says the attack on Google raises legitimate worries for other companies. "People I've spoken to say if Google, with arguably the brightest security guys in the industry, can get broken into in the heartland of Silicon Valley and have source code stolen, how secure is anybody else?"

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.