Researchers identify command servers behind Google attack

VeriSign's iDefense security lab has published a report with technical details about the recent cyberattack that hit Google and over 30 other companies. The iDefense researchers traced the attack back to its origin and also identified the command-and-control servers that were used to manage the malware.

The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator.

Citing sources in the defense contracting and intelligence consulting community, the iDefense report unambiguously declares that the Chinese government was, in fact, behind the effort.

"The source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof," the report says.

The iDefense report initially stated that malicious PDFs were crafted to deploy the malware that was used in the attack. Adobe disputed that claim and issued a statement saying that they have found no evidence that their technology was used as an attack vector. This is supported by independent research conducted by security firm McAfee, which has found evidence that a vulnerability in Internet Explorer—but not Acrobat Reader—was exploited in the attack. iDefense later retracted its claim about PDFs, but stands behind the rest of its report.

The researchers have determined that there are significant similarities between the recent attack and a seemingly related one that was carried out in July against a large number of US companies. Both attacks were apparently managed through the same command-and-control servers.

"The servers used in both attacks employ the HomeLinux DynamicDNS provider, and both are currently pointing to IP addresses owned by Linode, a US-based company that offers Virtual Private Server hosting. The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other," the report says. "Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July."

If the report's findings are correct, it suggests that the government of China has been engaged for months in a massive campaign of industrial espionage against US companies.

Loading Comments: