- Posted March 15, 2010 by
This iReport is part of an assignment:
China cyber attacks: Criminal or military?
A Chinese-origin computer attack on Google and several other U.S. companies continues to reverberate within U.S. government and private security circles, with many within the U.S. intelligence community suspecting strongly that China’s government or military was behind the attack.
However, a private security firm recently identified key patterns behind the December to February internet attack on Google and several other major companies that prompted Google to threaten to pull out of China because of suspected government involvement in the attack.
The security company Damballa stated in a report that the attack using a botnet and dubbed Operation Aurora appears more likely to be a criminal attack using previously known techniques.
Damballa stated that its analysis is based on past dealings with thousands of enterprise-targeted botnets, leading the company to believe that “criminal operators behind the attack are relatively unsophisticated compared to other professional botnet operators.”
Other security analysts, however, said the company may have failed to understand that the Chinese, steeped in deception and strategic misdirection, likely masked the attack to make it appear less sophisticated and also to make it appear that it was carried out by non-government entities for deniability.
One U.S. official said that tracing the origins of such an attack is difficult but that based on available information the most likely source of the attack was the Chinese government or Chinese military.
The military nexus is based on indications that two Chinese educational institutions, the Lanxiang Vocational School, that has been linked by U.S. intelligence to the Chinese military, and Shanghai Jiaotong University were behind the cyberattacks.
Google, after learning of the attacks that included breaking into Gmail accounts of Chinese dissidents, contacted the National Security Agency, which conducted an assessment of the attack. Other companies that were hit included Adobe, Rackspace, Yahoo! and Northrop Grumman.
Google, in a statement, said the attacks were highly sophisticated but did not provide details.
Damballa stated in its report that host computers that were penetrated by Aurora botnet agents and rallied to botnet Command and Control channels “were distributed across multiple countries before the public disclosure of Aurora, with the top five countries being the United States, China, Germany, Taiwan and the United Kingdom.”
The report said the botnet used relatively old techniques and that it said were rarely used by professional botnet criminal operators and appeared to be carried out by “new and amateur botnet operators.”
“The criminals behind the Google attack appear to have built and managed a number of separate botnets and run a series of targeted attack campaigns in parallel,” it stated.