Jan13
The Google Breach, Belt Fed Reporters and Hillary Clinton posted by Rick Howard
Filed in: Google Breach Adobe
Case in point is the Elinor Mills article on Cnet News interviewing one of our iDefense guys: Elli Jellenc. She has him saying that the hackers that attacked Google and others definitely leveraged an Adobe vulnerability. When I read that, I thought to myself, "Hey - that isn't right. The fact is that we do not know." But after re-reading our own press report, we definitely said that was the case. Elinor Mills is an excellent reporter ( I read her all the time) and reported what we gave her. Unfortunately, we muddled the message.
Let me clear this up. Here is what we know.
A well-targeted attack reportedly hit Google and over thirty other firms, many of them in the Silicon Valley. It appears that attackers primarily targeted source code repositories. Among the companies types targeted were high tech companies based in the Silicon Valley, financial institutions, defense contractors and chemical companies.
Google is convinced that the attackers are sponsored by the People's Republic of China. In fact, they even convinced the US Secretary of State, Hillary Clinton, that is was so. She is quoted as saying,
"We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation." Whatever evidence Google has, it must be strong.
Google reports that it identified malicious code on its system in mid-December. Google followed the code back to the drop servers and determined that in addition to the compromise of its own systems, more companies are involved. According to our sources, hackers hit ~ 33 additional companies.
The attack bears significant resemblance to a July 2009 attack in which attackers launched targeted e-mail campaigns against approximately 100 IT-focused companies. The July attack employed a PDF file that exploited a zero-day vulnerability in Adobe Reader. The malware associated with the summer attacks communicated with Command & Control Servers configured similarly to the Command and Control Servers involved in the Google attacks. In fact, the C&C servers from the Google attacks are within the same subnet and six IP addresses apart from the Command and Control server addresses in the summer attacks.
Considering the similarity of the two attacks, it is likely that the summer attacks and the Google attacks originate from the same actor and that the organizations targeted in the Silicon Valley attacks have been compromised since July. It is not much of a stretch to speculate (This is the speculation part) that both attacks leveraged an Adobe vulnerability although that has not been confirmed and Goggle is not talking.
If just half of this turns out to be true, the impact to Google, Silicon Valley and perhaps the US will be enormous. Google's reaction to China is a good example. They are considering pulling their business out of China as retaliation against the attacks. Google's a big player. Where they go, other smaller organization may follow. If Google and other tech-savvy companies started pulling out of China, that would make things very interesting for the next decade for both businesses in the technical sector and for policy negotiation between China and the US.
Yikes, that makes my head spin. I think I will go back to my belt-fed reporters.
