Recent Internet attacks from China against Google and other U.S. companies will more than double this year if the pace during the first two months continues, a security expert says.
This type of attack has been increasing over the past two years, with F-Secure spotting 1,968 such examples in 2008, 2,195 in 2009 and 895 so far this year, said Mikko Hypponen, chief research officer for F-Secure, who during RSA Conference held a private briefing on the attacks.
Unlike other malware attacks, these are fashioned for specific targets and are used only once. “In these cases, you are the only organizations in the world to get hit and no one else, and the attacker has done his homework,” Hypponen said.
Operation Aurora, the attack against Google earlier this year, is one of thousands observed by security vendor F-Secure, but one of the few where the victim has made the incident public. Similar activity dates back at least six years targeting governments, businesses with military contracts, and non-governmental agencies advocating for human rights, he said.
Some human-rights groups are hit an average of 10 times per month, and one in particular has been attacked continuously since 2004, he said. “Whoever wants to gain access to these people’s computers is very, very serious,” Hypponen said.
While he has no smoking-gun evidence that China is behind the attacks, tying IP addresses to China and the massive scale and coordination of the attacks point to the Chinese government. He said it is curious that such attacks by other governments have not been sighted, given that they can be effective ways to glean information. That may be because they don’t do it, or they do it in ways that are more stealthy, or perhaps they mask what they do behind Chinese IP addresses, he said.
The attacks are carried out by spear phishing someone in an organization with an e-mail that would be of professional interest. A PDF or other attachment to the e-mail contains malware that exploits a PDF weakness and launches a Trojan when the attachment is opened. The malware launch crashes the PDF reader, but the Trojan installs successfully. When the reader re-launches, a legitimate document opens, Hypponen said, making the victim think the Trojan launch and crash of the reader were just a glitch.
Hypponen showed examples of the phishing attempts. One e-mail message purportedly written by a CNN reporter seeks an interview with the e-mail recipient and says that the attached file contains a list of questions the reporter wants to ask.
In another case the e-mail was sent to a human rights organization, and the message said the attachment contained details about how such organizations were being targeted by phishing attacks that unleash malware from attachments.
Phishing messages in English and all European languages have been found within these e-mails, all written as if by native speakers of the languages. “Most of us would fall for these,” Hypponen said.
Over time, he said, the applications supporting the malware attachments have shifted. In 2008 28.61% of the attacks exploited Adobe Acrobat flaws; today, 69.7% exploit the reader. Microsoft Word is number two with 22.1%.
Some of these infections have been successful long-term, including one in which the laptop of a U.K. military contractor was sending data to an IP address in Taiwan undetected for 18 months, Hypponen said.
The attackers send from domains that are sometimes chosen to make it seem that traffic from them is legitimate. For instance, some use kabersky.com, a possible fat-fingered misspelling of security firm Kaspersky that might be overlooked by someone skimming through log files. Others include adobeupdating.com and symantecs.com.