A sophisticated attack targeting the corporate infrastructures of up to 33 Silicon Valley tech firms is believed to have originated in China and may be an attempt by Chinese government agents to track down Chinese human rights activists, according to a disclosure issued Tuesday by search engine giant Google.
In the announcement, Google said a "highly sophisticated and targeted attack" resulted in the theft of intellectual property from its systems. The company said it planned to enter talks with the Chinese government and would stop censoring its search results in the country. The company has been in a battle with Chinese search engine Baidu. Google was criticized in 2006 when it entered the Chinese market and began censoring some search engine results, blocking websites owned by Chinese human rights activists. Google said it may pull its operations out of China altogether.
Google Gmail accounts targeted in hack attacks
According to Google, two Gmail accounts of Chinese human rights activists were hacked and it believed the goal of the Gmail attacks was to gather information against people that it deemed a threat. The company said it would notify the other tech firms that have been targeted in the wave of attacks.
"We have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties," Google said in a post on the Official Google Blog. "These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers."
Details on how the hackers conducted the Gmail attacks is slim, but security analysts at VeriSign Inc.'s iDefense Labs released a media advisory late last night saying the hackers targeted "mainly source code repositories." Citing unidentified sources, the firm said more than 30 tech firms were targeted in a series of attacks that may have started in July when a similar style attack targeted 100 IT-focused companies using email messages containing malicious PDF files. Financial institutions and defense contractors are also believed to have been targeted, VeriSign Inc. said.
"According to sources familiar with the present attack, attackers delivered malicious code used against Google and others using PDFs as email attachments; those same sources also claim that the files have similar characteristics to those distributed during the July attacks," VeriSign's iDefense said in its announcement. "In both attacks, the malicious files drop a backdoor Trojan in the form of a Windows DLL."
VeriSign said the two attacks share the similar IP addresses and use the same command-and-control structure. The addresses are owned by Linode LLC, a US-based company that offers virtual private server hosting.
"Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July," VeriSign said.