Google looks set to end its operations in China after it suffered from ‘a highly sophisticated and targeted attack'.
According to David Drummond, SVP corporate development and chief legal officer at Google, the web giant detected the attack in mid-December on its corporate infrastructure originating from China that resulted in the theft of intellectual property.
He said that there were three key factors of the attack. Firstly to hit major websites and services, secondly he said that he had evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists, and thirdly he said he had discovered that the accounts of dozens of US, China and Europe-based Gmail users, who are advocates of human rights in China, appear to have been routinely accessed by third parties.
Drummond said: “We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users.
“In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online.”
He said that Google had taken the ‘unusual step of sharing information about these attacks with a broad audience', partly for the security and human rights implications of the discovery, but also because the information ‘goes to the heart of a much bigger global debate about freedom of speech'.
The Chinese Google site Google.cn was launched exactly four years ago, and Google said then that it would ‘carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China'.
Drummond admitted that the attacks, surveillance uncovered and attempts over the past year to further limit free speech on the web, had led it to conclude that it should review the feasibility of its business operations in China.
He said: “We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognise that this may well mean having to shut down Google.cn, and potentially our offices in China.
“The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.”
Eli Jellenc, head of international cyber intelligence at iDefense, said: “The attack bears significant resemblance to a July 2009 attack in which attackers launched targeted email campaigns against approximately 100 IT-focused companies. The July attack employed a PDF file that exploited a zero-day vulnerability in Adobe Reader.
“According to sources familiar with the present attack, attackers delivered malicious code used against Google and others using PDFs as email attachments; those same sources also claim that the files have similar characteristics to those distributed during the July attacks. In both attacks, the malicious files drop a backdoor Trojan in the form of a Windows DLL.
“The code samples obtained by iDefense from the July attack and the present attack are different, but they contact two similar hosts for command-and-control communication. The servers used in both attacks employ the HomeLinux Dynamic DNS provider, and both are currently pointing to IP addresses owned by Linode, a US-based company that offers virtual private server hosting.
“The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other. Considering this proximity, it is possible that the two attacks are one and the same, and that the organisations targeted in the Silicon Valley attacks have been compromised since July.”
Mary Landesman, senior security researcher at ScanSafe, said: “This industry targeting is not new to ScanSafe. In late 2008, ScanSafe released a report that discussed our analysis of web malware encounters among 21 industry verticals, including evidence of specific targeting of highly sensitive verticals.
“Further, we've warned for some time that even mass-distributed malware becomes targeted once that malware gets into the corporate network - its actions will change depending on who the company is or to which industry they belong.”