Home / Blogs

Closing in on the Google Hackers

Joseph Menn has an article on CNN.com wherein the crux of the story is that US experts are closing in on the hackers that broke into Google last month. It is believed by some that the Chinese government sponsored these hackers. China, naturally, denied involvement. My own take is that tools today are sophisticated enough such that you don’t necessarily need state sponsorship in order to launch a cyber attack. Here is an excerpt from Menn’s article:

U.S. analysts believe they have identified the Chinese author of the critical programming code used in the alleged state-sponsored hacking attacks on Google and other western companies, making it far harder for the Chinese government to deny involvement.

Their discovery came after another team of investigators tracked the launch of the spyware to computers inside two educational institutions in China, one of them with close ties to the military.

A freelance security consultant in his 30s wrote the part of the program that used a previously unknown security hole in the Internet Explorer web browser to break into computers and insert the spyware, a researcher working for the U.S. government told the Financial Times. Chinese officials had special access to the work of the author, who posted pieces of the program to a hacking forum and described it as something he was “working on”.

In other words, a hobbyist programmer with a lot of time on his hands, and a lot of knowledge in his head, was working on something where he was looking to break Microsoft’s Internet Explorer web browser.

Continuing onward:

Beyond the immediate forensic inquiry, the work of U.S. researchers sheds light on how cyber-operations are conducted in China.

The man who wrote code to take advantage of the browser flaw is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts, according to the U.S. team that discovered his role.

This is similar to the Estonian cyber attacks in 2007. Back then, the Estonian government accused the Russian government of instigating the attacks, and the Russian government denied involvement. As it turned out, an aide to a Russian state Duma representative did claim responsibility but specifically denied it as an act of the Russian government. It appears that he was angry at the Estonian government for taking down a war monument and in response, launched a cyber riot. Similarly in 2008, hackers launched a DOS attack on the Georgian government. Like Estonia before it, this appears to have been a case of a group of nationalist people getting together, pooling their criminal resources and launching an attack at an enemy using cyber warfare.

In this case, the author of the code doesn’t work for the Chinese government, and neither did the Estonian or Georgian attackers. This code writer wouldn’t even want his work to be used in cyber attacks, but that cat is out of the bag now. Just like Alfred Nobel regretted his decision to invent dynamite, this guy can’t take back what he was wrought. If you are looking for security exploits in a browser to do nefarious things, someone can take your code and use it in ways that you didn’t expect.

Continuing onwards:

“If he wants to do the research he’s good at, he has to toe the line now and again,” the U.S. analyst said. “He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing. The state has privileged access to these researchers’ work.”

It’s unclear if the Chinese government was peering over his shoulder and stealing his code, or if someone in the middle stole it and delivered it to the Chinese government, or even if the Chinese government was even involved.

Continuing, we start to get some light shed on this situation:

A separate team of U.S. contractors has traced the launch of the spyware to computers at Shanghai Jiaotong University and Lanxiang Vocational School, according to two people familiar with that inquiry.

Jiaotong University has one of the best security departments in the country, U.S. analysts said, with former government cyber commanders in residence. The state-run Xinhua news agency said officials at both schools denied involvement. In theory, outsiders could have compromised both schools’ machines before using them to collect data from the Western companies.

But US analysts said at least Jiaotong University’s networks are closely monitored, making them an odd choice for an independent attacker seeking to avoid detection. In addition, “Our investigation shows the hosts that did the attacks were not compromised that we could tell”, said an analyst involved in that probe.

In my experience (I run outbound mail for millions of users), universities are breeding grounds for compromised servers. Not a week goes by when we don’t have at least one incident where somebody has been phished and then the account starts spewing out piles of outbound spam. And this goes on all the time. So, the fact that the spyware was launched from a university should come as no surprise. If you’ll allow me to craft a theory, it would go something like this:

Students like to play a lot of online role playing games like World of Warcraft. One of the most common worms today is the Taterf worm, which steals passwords to MMORPG games like WoW. This worm is spread via thumb drives and misconfigured network drives. Perhaps some students in China were playing games, somebody spread around some malware (inadvertently) and installed a password stealer, or a code stealer. The Chinese have lots of pirated software and don’t have the best security practices. China + universities = recipe for disaster.

Meanwhile, a security consultant (read: PhD student who knows tons and tons about security and was working on it for his thesis) has caught the eye of the Chinese government, or someone else who wants to steal secrets from Google. This grad student likes to relax and play video games every once in a while, and if you have ever been to China, you know that males between the ages of 18-29 are forever found in Internet cafes playing MMORPGs. Maybe his network gets compromised, maybe his computer gets infected with malware, but somehow or another, his system gets hacked and his code is stolen.

Or maybe it isn’t stolen. Maybe he is experimenting one day and one of the side effects is that his worm gets out of control (like a bad movie) and steals Google credentials. Or maybe he works for Baidu (or perhaps they are funding his research) and they steal the code and use it against Google.

Note the phrase that “Jiaotong’s network’s are closely monitored” and “the hosts did not appear compromised.” That would indicate that whoever stole the information did so willingly and there was not malware installed on the networks. It would have to be a deliberate act.

Or would it? Many people who are infected wouldn’t necessarily know it or recognize it. The fact is we don’t really know enough to determine if this was a conspiracy or not. What it sounds like is that some guy wrote some software that exploits a security flaw and this was used by someone with malicious intent. Was it the Chinese government? Was it private enterprise? Or was it some students using it to see if they could do it? I don’t know enough about the details of the case, but neither would surprise me.

By Terry Zink, Program Manager

Filed Under


So - yes, you dont know one way or the other who did it Suresh Ramasubramanian  –  Feb 27, 2010 1:51 PM

You might try Joe Menn’s Fatal System Error book for more of the same.  Its gray enough.

One political party staffer?
One or more corrupt police officers? (in the Menn book)

It is a matter of scale - and sometimes people make their conclusions by seeing how much the government (that is, relevant law enforcement agencies, country CERT etc) does to repudiate / helps to mitigate whatever damage is caused.

Again, very gray areas, tough to draw conclusions (or equally easy for one person to draw them one way, and for another to draw them the entirely opposite way)

I'm planning to read Menn's book as Terry Zink  –  Feb 27, 2010 7:55 PM

I’m planning to read Menn’s book as it naturally dovetails with my above article.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign


Sponsored byDNIB.com

New TLDs

Sponsored byRadix