Search giant Google has again sounded the alarm about sophisticated attacks emanating from mainland China and targeting officials within the U.S. and Asian governments, as well as human rights activists and journalists. Samples of some of the messages posted on an independent researcher’s blog indicate that personnel in the Department of State as well as the Department of Defense were targeted.
The company said in a blog post that it had disrupted a sophisticated campaign of e-mail account takeovers with origins in Jinan, China, that affected hundreds of Gmail users. The campaign was not directed at Google’s infrastructure or systems, but likely relied on phishing attacks and malware to harvest user login credentials. The campaign appears to have been designed to monitor the content of users’ email correspondence.
Victims of the scam include what Google described as “senior U.S. government officials, Chinese political activists,” and officials in South Korea and other Asian countries. Google says it detected the campaign using its cloud-based abuse detection systems, as well as an open source report from the blog Contagio dating back to February, 2011.
While Google provides few details on the attacks, the Contagio blog provides more details. According to that post, but Mila Parkour, victims included “Government and non government employees working on questions of defense, political affairs, national security,” and so on.
Parkour describes what appears to be a classic spear phishing campaign. Victims of the scam received e-mail messages that appeared to com from “a close associate or collaborating organization/agency.”
The spoofed e-mail appears to contain an attachment with links to “View” or “Download” the attachment. Clicking that link leads users to a phony Gmail login page that harvests their credentials. Once attackers gained access to the site, they would access the victims’ accounts and create rules to forward e-mail messages to another account. Mail messages were read and the account was used to conduct further spear phishing campaigns against associates or family members of the victims.
Screen shots taken from the campaign show e-mail messages with subjects like “FW: Draft US-China Joint Statement” dating from January, 2011 and “FW:re:Introduction/China question” dated November 29, 2010.
Google said it has disrupted the campaign and notified victims and “government authorities.” The company did not accuse a country or group of being behind the campaign, but did say that the attacks originated from within China and that Chinese political activists were among the targets.
Gmail account hijacks were one component of the so-called Aurora attacks against Google and other Western firms in January, 2010. Those attacks relied on spear phishing e-mails as well as scareware attacks to plant malicious code on users systems within target firms. Subsequent reports have described other, similar actions including one dubbed “Byzantine Hades” by the U.S. State Department have also been detected in the intervening months.
Google said that users concerned about account takeovers should consider moving to the company’s two-factor authentication system and use a strong password for primary account access. Users might also consider reviewing their Gmail settings for suspicious forwarding addresses or delegated accounts, Google said.