The attack that compromised Google’s corporate network and the systems of more than 30 other companies in recent weeks appears to be the work of smart, careful and very well-informed attackers who knew exactly whom to target and what to take once they were inside, security experts say.
Google, and perhaps the other companies, appear to have been the victim of a targeted attack that used a malicious PDF file to exploit an unpatched flaw in Adobe Reader and gain access to the company’s network, according to Wired. Their target: Google’s source code.
In a statement released Tuesday, Google’s chief legal officer, David Drummond, said the company “detected a highly sophisticated and targeted attack on our corporate
infrastructure originating from China that resulted in the theft of
intellectual property from Google.”
Also on Tuesday, Adobe officials disclosed an attack on their own networks, which they characterized as “sophisticated.” However, a company spokeswoman said Adobe could not say for certain whether the attack was related to the one on Google.
“The investigation into this incident is still ongoing. They
appear to be related given the timing of the discoveries, but until the
investigation is completed we won’t be able to confirm,” Wiebke Lips, senior manager of corporate communications for Adobe, said.
But while the details of these attacks are still coming to the light, the attacks themselves should come as no surprise. Companies such as Google and Adobe are prime targets for smart attackers, regardless of whether they’re state-sponsored or privately funded. Google’s various sites and applications hold a huge amount of incredibly valuable data and Adobe’s software runs on hundreds of millions of PCs around the world. Having access to the source code for these applications would be a dream scenario for a hacker.
“These attackers were going after source code and intellectual property, they’re not going after credit card numbers at Google or Adobe. But that doesn’t necessarily mean it was a nation-state, just that it was someone who is as sophisticated as a nation-state,” said Chris Wysopal, CTO of Veracode. “It’s a big wave of wake-up calls that companies with valuable intellectual proprty are going ot be hit with the same force as financial institutions. The attackers can sell the source code to a competitor or to someone looking for exploits in that code.”
The larger point, though, is that this kind of sophisticated, targeted attack is not a rarity. Security researchers have been watching these attacks for several years and there have been periodic stories about similar infiltrations of U.S. military and government networks. But the difference with the Google and Adobe attacks is that the two companies are speaking publicly about the incidents. The accounts don’t offer much detail and Google has a very clear motive for publicizing the attack on its network.
But what shouldn’t be lost in the political discussions is the fact that zero-day attacks are happening on a widespread basis and the attackers are not amateurs.
“There are a lot of zero-days out there and there’s so much activity it’s hard to tell what’s being used where,” Wysopal said. “But it’s clear that there are several sophisticated teams out there that have the command and control and the skills and personnel to take advantage of zero-days when they get them. Once you have the command control set up and the zero-day in commonly used software and the team in place, you go after the most valuable targets. You can walk through walls in that scenario.
“The fact that Google is going public is very good news for people who are trying to get the word out about this stuff and the state of insecure software. This is showing the consequences of a sophisticated attack and it helps security people make the argument about the need to protect intellectual property,” Wysopal said.