In a post to its official blog entitled, “A New Approach to China” Google’s Chief Legal Officer David Drummond, shocked the world in January 2010 by announcing that it would end its censorship of search results on its Chinese website. Furthermore, the post explained that Google would “review” its business in China, and begin discussion with the Chinese government on the feasibility of operating an “unfiltered search engine within the law, if at all.” Understanding the unlikelihood that the Chinese government would agree to its demands; Drummond went on to say that it was very possible that its actions and its users should be prepared for the eventual shutdown of Google.cn and the shuttering of its offices in China. Naturally, Google was not the first company to contemplate leaving China. History is filled with an untold number of Internet firms such as Yahoo and EBay that have retreated from China for a variety of reasons. But Google’s sudden announcement came after years of aggressively building its footprint on the Mainland. According to Drummond, when Google first arrived in China in 2006, it came with the belief that increased access to information would be a tremendous benefit for the Chinese people. To be sure, while Google’s market share was miniscule, by all accounts at the time of the announcement, Google was doing fairly well in China. So what forced the change in policy? According to Drummond, Google made the decision to stop censoring its search as the result of a “highly sophisticated and targeted attack on its corporate infrastructure originating from China.” Moreover, the cyberattacks were successful in the “theft of intellectual property from Google.” As described by Google, the attacks were massive and were implemented as a coordinated campaign targeting specific human rights advocates in China and around the world. According to Google, the attacks were the last step in a campaign of censorship and surveillance in China that led it to reject its policy of compromising with the government to filter its search results.
A. The Attack
According to McAfee, a zero-day vulnerability in Microsoft’s popular Internet Explorer was the likely vector used in attacks against Google (Schmugar, 2010). A few days after the attacks Microsoft reported that it had been aware of a vulnerability in version 6, 7 and 8 of its Internet Explorer browser (Microsoft, 2010 Jan. 14). Information revealed by Google and McAfee suggest that the attackers sent an e-mail to targeted victims. The e-mails, which were most likely from people the victims knew, asked them to download an attachment or visit a linked website. Unbeknownst to the victims, the attachments and/or links contained malware that would exploit the zero-day vulnerability in Internet Explorer and “compromise” the computer. Once the computer was compromised it contacted a remote “command-and-control” server that sent a Trojan back to the computer for installation. According to Symantec, one of the main Trojans used in the attack was one known as Hydraq or Aurora. After installation Hydraq is designed to search an infected computer for particular information including passwords, the contents of e-mails and even real-time activity of a user typing of data from an open browser screen (Symantec, 2010). Once the targeted information is discovered, Hydraq can forward the data back to the command-and-control server. The command-and-control server can also be used to make Hydraq perform other “duties” such as download additional malware or force the compromised computer to “exploit your contacts or other computers on your network” (Villeneuve, 2010).
According to Google, the primary targets of the attacks were the Gmail accounts of specific human rights advocates working for reform in China. Two of the attacks successfully accessed two Gmail users’ accounts and intellectual property directly through Google’s corporate network. Moreover, further attacks were able to access the accounts of an untold number of Gmail users in the United States, China and the European Union via attacks on their personal computers. According to a number of computer security experts who have researched the attacks, a trace back of the IP addresses of command-and-control servers running the attacks show that they were located in Taiwan (Mills, 2010). Researcher also found that a server in Texas based cloud-storage and Internet hosting company Rackspace was also compromised and used to store information stolen from compromised computers and Gmail accounts before sending it back to the servers in Taiwan (Vileneuve, 2010). The use of Taiwan as a jump-off point for attacks initiated in China is widely considered standard procedure for Chinese state-sponsored cyberattacks (Mills, 2010).
Although Google reported that the attacks against its corporate network were able to steal an unconfirmed amount of intellectual property, they believe that the two attacks that successfully accessed the Gmail accounts were only able to read a limited amount of information such as the date that the account was opened and the subject lines of e-mails. However, Google did not provide similar assurances to the Gmail accounts accessed via personal computers. As mentioned the Hydraq Trojan can access, copy and forward any information sent, received or stored on a compromised computer. Moreover, it can also be used an attack vector for other computers on a network. Accordingly, it can be assumed that the integrity and confidentiality of any infected personal computer is seriously degraded if not destroyed. Moreover, it is most likely that any information sent, stored or received by an infected personal computer was completely available to the attackers.
Others believe the focus of the attacks was more nefarious than just accessing the Gmail accounts of human rights advocates. According to computer security expert Bruce Schneier, the purpose of the attacks was to exploit backdoors that Google installed under the direction of US law enforcement authorities. Schneier argues that under US law Google (and all Internet companies) is required to install backdoors into their software that can be accessed with a court order in a criminal investigation. Schneier states that Chinese officials learned of the backdoors and ran an operation to access them so that the can monitor whether or not their agents in the US had been discovered. According to Schneier, the US would most likely order Google to allow access to the backdoor of suspected agents’ accounts. As a consequence, Schneier explains, if China was also able to access that same backdoor, they would be able to known which of their agents are under surveillance and take precautions to warn them to take appropriate actions such as eliminate evidence or escape.
B. Incident Response
The response to the attacks was implemented on three levels. First, with a few days of discovering the attacks, Microsoft issued a critical security update for the zero-day vulnerability that that the attacks were exploiting. (Microsoft, 2010 Jan. 21). According to Microsoft, the update eliminates the vulnerability “by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes” (Microsoft, 2010 Jan. 21). Second, in its blog post announcing the attacks Google stated that it had “used the attacks to make infrastructure and architectural improvements that would enhance security for Google and its users.” Google has not released many details on what “infrastructure and architecture improvements” it has made but shortly after the attacks Google did announce two security improvements namely, enabling https by default for Gmail and allowing “2-step verification” for its Gmail accounts. Https protects data from being accessed by third parties by automatically encrypting e-mail contents “as it travels between your web browser and our [Google] servers” (Schillace, 2010). Alternatively, 2-Step verification protects unauthorized access to Gmail accounts by not only requiring a password to enter an account, but also a time-sensitive code sent to the user via a text, mobile app or voice call. Third, once the attacks were discovered Google implemented a public education campaign to instruct its users on proper digital hygiene such as using strong passwords, being wary of clicking on links or downloading attachments that they are not sure of, installing reputable antivirus software and apply timely updates to their computer’s operating systems. In addition, while not mentioning China by name, Google tacitly called out China as one of the more serious risks to Internet security and people should be aware of their methods so as to take the appropriate measure to protect themselves when dealing with China.
While Google’s announcement that it was discontinue filtering and consider shutting down operations in a country with as many potential customers as China offers, perhaps the bigger reveal was the scope, complexity and effects of a cyberattack launched with the resources of a state-sponsor. On the one hand, the attacks made clear even some of the most advanced information technology companies can be vulnerable to a well-funded, well-resourced cyberattack. On the other hand, the attacks helped bring about such advances as https by default, 2-step verification and Google’s recent decision to automatically encrypt its mobile devices. In the end, however, Google’s call to action has made it obvious that more must be done, including increased cooperation and information-sharing among tech companies to bring about a continuous upgrading of defenses to such attacks.
BBC (2011, Jun 1). Google e-mail accounts compromised by ‘Chinese hackers.’ Retrieved on November 5, 2014, from http://www.bbc.co.uk/news/world-us-canada-13623378
Buley, T., & Greenberg. (2010, Jan. 14). Google China hackers’ unexpected backdoor. Retrieved on November 5, 2014, from http://www.forbes.com/2010/01/14/google-china-mcafee-technology-cio-network-hackers.html
D. Drummond. (2010, Jan. 12). A new approach to China. [weblog] Retrieved from http://www.googleblog.blogspot.com/2010/01/new-approach-to-china.html
D. Girouard. (2010, Jan. 12). Keeping your data safe. [weblog] Retrieved from http://www.googleforwork.blogspot.com/2010/01/keeping-your-data-safe.html
Information Warfare Monitor. (2009, Mar. 29). Tracking Ghostnet: Investigating a cyber-espionage network. Retrieved on November 5, 2014, from http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network
Microsoft. (2010, Jan. 14). Microsoft security advisory 979352. [weblog] Retrieved from https://technet.microsoft.com/library/security/979352
Microsoft. (2010, Jan. 21). Microsoft security bulletin MS10-001-Critical. [weblog] Retrieved from https://technet.microsoft.com/library/security/ms10-002
Mills, E. (2010, Jan. 13). Behind the China attacks on Google (FAQ). Retrieved on November 3, 2014, from http://www.cnet.com/news/behind-the-china-attacks-on-google-faq/
Nagaraja, S., & Anderson, R. (2009 Mar.). The snooping dragon: social-malware surveillance of the Tibetan movement. Retrieved on November 3. 2014, from http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf
C. Schmugar. (2010, Jan. 14). More details on “Operation Aurora.” [weblog] Retrieved from http://www.blogs.mcafee.com/mcafee-labs/more-details-on-operation-aurora
S. Schillace. (2010, Jan. 12). Default https access for Gmail. [weblog] Retrieved from http://www.gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html
B. Schneier. (2010, Jan. 19). Google vs. China. [weblog] Retrieved from https://www.schneier.com/blog/archives/2010/01/google_vs_china.html
Symantec. (2010, Jan. 19). The Trojan.Hydraq incident. Retrieved on November 3, 2014, from http://www.symantec.com/connect/blogs/trojanhydraq-incident
Thomas, T.L. (2010). Google confronts China’s “three warfares.” Retrieved on November 3, 2014, from http://www.strategicstudiesinstitute.army.mil/pubs/parameters/Articles/2010summer/Thomas.pdf
N. Villeneuve. (2010, Jan. 14). Chatter [weblog] Retrieved from http://www.nartv.org/2010/01/14/chatter/
Wee, S., & Skovic, A. (2011, Jun. 2). Google reveals Gmail hacking, says likely from China. Retrieved on November 5, 2014, from http://www.reuters.com/article/2011/06/02/us-google-hacking-idUSTRE7506U320110602