Google is reportedly looking into the possibility that one or more staff members at its office in China helped enable the attack on its infrastructure in mid-December.
After the attack was discovered, some Google China employees were denied access to internal networks, while others were put on leave, and still others were sent off to offices elsewhere in the Internet search giant’s Asia-Pacific operations, according to a Reuters report.
Google did not return requests for comment by press time.
Why Is Google Looking Inward?
The attack on Google was conducted through a zero-day vulnerability in the Internet Explorer 6 browser using the Hydraq Trojan, according to reports. Hydraq, discovered Jan. 11, affects Windows 2000, Windows Server 2003, Windows Vista and Windows XP, according to security vendor Symantec. It may arrive in an email or be dropped or downloaded by another threat.
Once it lands on a PC, the Trojan creates a service, registers it, then opens a back door that lets a remote attacker perform various actions on the machine. These include adjusting token privileges, downloading and executing a remote file and reading, writing, executing, copying and changing attributes.
Despite this, Symantec rates the risk level for Hydraq as very low. The sophistication of the attack on Google depended on correctly pinpointing the correct parts of its infrastructure to hit. This is what raised suspicions that the attack had help from insiders.
Any Rats in These Tunnels?
While the attack may have received assistance from the inside, it doesn’t necessarily mean that Google China staff cooperated with the attackers, Scott Crawford, a research director at Enterprise Management Associates (EMA), told TechNewsWorld.
“Exploiting of the vulnerabilities discussed so far on a system connected to sensitive corporate networks could have led to exposure of sensitive internal information, so an insider could have been a victim as well as an attacker,” he pointed out. “The vulnerabilities discussed in connection with this incident could have been exploited by spearphishing or by someone visiting a compromised Web site, however, which would not necessarily make them an attack launched by an insider.”
Spearphishing is a targeted version of phishing, a form of attack in which victims receive a link that appears to take them to a trusted site. The site, however, is an imposter, and it often drops in malware or sends whatever login information the victim inputs back to the attacker. Such sites are often very accurate duplicates of genuine Web sites.
Widening the War
The effects of the Google-China conflict are spreading — Google archrival Yahoo has drawn fire for speaking out on the issue.
Yahoo, which is reportedly one of the other large companies Google discovered had also been hit by hackers, had come out in support of Google’s stance on the issue.
That triggered criticism from Alibaba.com, to which it sold off its China business in 2005 and in which it holds a 40 percent stake. Alibaba said Yahoo’s stance was reckless.
Yahoo did not respond to requests for comment by press time.
There is little Google can do if it finds out the attack had help from insiders, EMA’s Crawford said. “Google could take action against specific individuals, but it seems unlikely that, for example, replacing one set of Chinese nationals with another would be an effective strategy,” he pointed out.
“Regardless, Google’s exposure to both external and internal threats — digital and otherwise — largely remains unchanged by personnel actions, and it seems that even political measures would have any immediate, lasting effects.”