In a huge disclosure today, Google said a sophisticated and targeted cyber attack against its corporate infrastructure late last year was aimed at accessing the Gmail accounts of Chinese human rights activists. As a result of the incident, the company says it will no longer censor search results on behalf of the Chinese government, and that it may in fact cease operations in the country altogether.
In a posting to its Official Google Blog, the company said that in mid-December a “highly sophisticated and targeted attack” against its internal systems “resulted in the theft of intellectual property from Google.” The search engine giant said that the attack also struck at least 20 other large companies from a wide range of businesses, and that it is currently in the process of notifying those companies.
Google said it has evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.
“Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,” the company said. “We have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.”
As a result of the attacks, Google says it is no longer willing to continue censoring Google.cn search results. From the Google announcement:
“We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that ‘we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China.’
These attacks and the surveillance “they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.
The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.”
Google didn’t say exactly how the attackers managed to break into its corporate infrastructure, but it did warn users to be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. The company also references the targeted attacks that led to the creation of Ghostnet, a massive spying ring targeting Chinese dissident groups that relied heavily on targeted e-mail attacks.
The disclosure also comes on the day that Adobe Systems issued a long-awaited update to fix a critical security flaw in its Adobe Reader and Adobe Acrobat software that hackers have been using in just these sorts of targeted attacks since the vulnerability was first detailed roughly one month ago.
There is evidence to suggest that this same vulnerability may have been used in the attack disclosed by Google, or that Adobe itself was among the other companies targeted. In a blog post of its own today, Adobe’s Pooja Prasad writes that “Adobe became aware on January 2, 2010 of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies. We are currently in contact with other companies and are investigating the incident. At this time, we have no evidence to indicate that any sensitive information–including customer, financial, employee or any other sensitive data–has been compromised. We anticipate the full investigation will take quite some time to complete. We have and will continue to use information gained from this attack to make infrastructure improvements to enhance security for Adobe, our customers and our partners.”
UPDATE, 7:22 p.m. ET: I just spoke with Wiebke Lips, Adobe’s senior manager for corporate communications. She said the incident referenced in the Adobe blog post was unrelated to the Google attack. “It was just a bad coincidence that these came out on the same day. We’re still investigating this whole issue, as is Google. We had this quarterly update scheduled for the last three months. This was to go out today and we did a pre-announcement a week ago. It just so happened that our announcement went live at the same time as Google’s.” She said she could not elaborate on what incident(s) prompted their blog post about the sophisticated attack that Adobe became aware of on Jan. 2.
Update, 5:54 p.m. ET: It seems Adobe has done an about-face on this. Adobe’s Wiebke now says the attack on its corporate systems was related to the attack on Google’s systems. Wiebke’s response to my latest “WTH?” e-mail:
“The investigation into this incident is still ongoing. What we are saying is that the incidents appear to be related given the timing of the discoveries, but until the investigation is completed we won’t be able to confirm.”
Original Post:
Incidentally, if you use Adobe Reader or Adobe Acrobat, you might want to apply the security updates that Adobe released today, available here. I will post a separate entry shortly that delves into this Adobe update a bit more.
It should be fascinating to watch the fallout from this attack in the days and months ahead. Stay tuned.
Google has been hoist on its own petard. They agreed to doing some censorship in order to get a toe in the giga-market of China, and ….look what happens. Google has now no doubt learned that there’s only one way in China…the establishment way.
The accounts read as if there are lots of very vulnerable Chinese employees just now…..unless they were “doubled”.
I don’t blame Google. After all, gmail accounts are attractive to people all over the world, whether Google has offices in their countries or not. And there’s no rule you need offices in China to be the victim of Chinese hackers. There would have been attempts to access those email accounts even if Google had never gone into China.
Ghostnet was a big story, but it has faded from the spotlight. Google.cn pulling out of China is another big story. Each time something like this happens, it is an embarrassment to the Chinese government. Each small event makes it harder for China to continue their current policies. At some point, China’s desire to participate in the global economy will outweigh their paranoia about the Dalai Lama and the censorship will start being scaled back.
If Google had never done business in China because of their distaste for censorship, that would not have been very newsworthy. While I’m not happy that any human rights activists’ (or Google.cn employees’) lives were put at risk, I think that in the long run, this type of event will advance the cause of human rights in China more than outright boycotts would.
I think Google is making the right move morally in response to the indefensible censorship demanded by the Chinese government. It’s also a smart business move, since Google hasn’t been very competitive against Chinese search engines in the Chinese market. Most Chinese Internet users won’t notice if Google.cn gets shut down, but there would be some unhappy people if Gmail were blocked. For people living in China, the good news (in the short term) is that your Gmail account is safe from the Chinese government unless they manage to steal your password or hack in; at least they don’t have easy access the way they undoubtedly do with Chinese email providers.
The interface between the Post-Mao/Red Army Dynasty and the G-7/EU/Anzac online world continues to unfold. Thanks for the info on Google’s weakness in the PRC search market.
The unvarnished fact is that the current PRC government is a hybrid of Confucian ethos and quasi-Fascism with an overlay of Maoist rhetoric. Its economy is as at-risk as any of the above counterparties. Since its stability depends on economic growth, expect online censorship to increase in intensity. We’ll see how much information filters into China and how much effect it has on public opinion. This Google news is a piece of the mosaic.
Great post! Thanks for sharing your thoughts and insight. If I want to get a hold of you, what would be the best way to get in touch? Thanks a lot and I look forward to meeting with you!
Eugene- In the About the Author page underneath the banner there are several ways you can get in touch. Probably the most direct is to send an email to krebsonsecurity at gmail dot com.
Can’t help thinking that a move to withdraw from China on the part of Google may be motivated more by the company’s inability to win market share from Baidu than by concern over the December hack or censorship issues. Rumours of a possible Google withdrawal from China have circulated for some time ; personally I think doing so would be unfortunate both for Google and for China….
Henri
Update : Here a link (http://preview.tinyurl.com/y85ezeq ) to the latest statistics on browser market share in China….
Maybe Google isn’t as evil as I had them pegged to be.
Looks like Adobe is changing their tune now:
‘ “We are still in the process of conducting our investigation into the incident,” said Wiebke Lips, Adobe’s senior manager of corporate communications, in an e-mail reply to questions today. “[But] It appears that this incident and the one Google announced earlier are related.” ‘
http://www.computerworld.com/s/article/9144378/Hackers_used_rigged_PDFs_to_hit_Google_and_Adobe_says_researcher
Yeah, thanks David. I actually just added an update to that effect in this story. Thanks, Adobe for being so truthy.
Don’t confuse security issues with PR
http://1raindrop.typepad.com/1_raindrop/2010/01/cyberattacks-happen.html
Wish people could learn to use HTML or bit.ly to shorten URLs so they don’t trash other people’s blogs.
Nice article looking forward to more info.