Google Attack Was Tip of the Iceberg

The recent disclosure by Google, Adobe and other companies that their networks had been thoroughly compromised by attackers who may have been after their source code has prompted a tremendous amount of discourse both in the security community and in the general public about the political and commercial implications of the attacks. But the fact of the matter is that the attacks themselves were neither remotely unique nor particularly clever. And that is what should be worrying lawmakers, corporate security specialists and anyone else with some skin in the game.

The recent disclosure by Google, Adobe and other companies that their networks had been thoroughly compromised by attackers who may have been after their source code has prompted a tremendous amount of discourse both in the security community and in the general public about the political and commercial implications of the attacks. But the fact of the matter is that the attacks themselves were neither remotely unique nor particularly clever. And that is what should be worrying lawmakers, corporate security specialists and anyone else with some skin in the game.

From all of the publicly available information, it looks like Google, Adobe and at least some of the other unnamed victims of the Aurora attacks were compromised by what amounts to a relatively pedestrian phishing attack. Security researchers have said that the attackers sent emails and instant messages to specifically targeted employees at Google. When the recipients clicked on the links in the messages, it started a chain reaction that exploited a previously unknown vulnerability in Internet Explorer and installed malware on the user’s PC. From then on, it was open season for the attackers, who had several footholds on Google’s network and leveraged them to gain access to more sensitive systems.

Which part of that sounds sophisticated?

Really, the only interesting thing is that the attackers used an unknown IE flaw, and even that’s stretching the definition of “interesting.” Security researchers have been saying for years now that attackers are using zero days as a matter of course. They buy and sell exploits for vulnerabilities that Microsoft, Adobe, Oracle and other software makers have never heard of, use them until they’re burned and then move on to the next one. And it’s not just intelligence agencies or state-sponsored groups who operate on this level; it’s simply the way things work now. One researcher called the use of zero days a “baseline.”

This is not The New New Thing, or even The somewhat new thing. It’s Attacking 101 now, and while the federal government and others scramble to understand the threat, the attackers are moving on to other techniques and strategies, secure in the knowledge that they’re several steps ahead.

It’s not difficult to find the parallels between the current uproar over advanced persistent threats (read: custom malware) and the fight against terrorism. In the years leading up to the 9/11 attacks, intelligence officials ignored warnings about the growing threat of loosely connected terrorist groups gaining strength in Afghanistan, Yemen and elsewhere who were planning to attack the United States. After the attacks, the government spent billions of dollars protecting against the techniques the 9/11 attackers used and reacting to each new attack (shoe bombs, liquid/gel bombs, Underoos bombs) in similar fashion, always playing catch-up.

That’s a pretty good outline of what’s been happening in parts of the security community and in Washington in the years before the Google attack and in the weeks since it became public. A lot of people–including me–have had a lot of fun at the expense of Richard Clarke for constantly trotting out the “digital Pearl Harbor” bogeyman to illustrate the weakness of the country’s network defenses and the dire need for more money and research on information security. But while that phrase itself still rings false, the idea behind it does not.

The Google attack is not the sort of huge, national-level event that Clarke was constantly on about, and hopefully there won’t ever be one on that scale. What the Aurora attack is, however, is the public face of a threat that has been hidden from most people’s view for far too long. It’s the common, albeit cleverly targeted, attack that is going on every day on networks around the world.

It’s the new normal.

Suggested articles

FBI Plans to Inform States of Election Breaches

The agency changed its policy to provide more timely and actionable information to state and local election officials in the case of a cybersecurity breach to election infrastructure.

Discussion

  • junie urbina on

    me gustaria recibir noticias para estar mas actualizada en el asunto. soy cliente de kaspersky y estoy muy conforme . esto genera alñgun costo o es gratuito.

    gracias

  • antihacker101 on

    i am gonna stretch this info until it is highly addressed.  everyone is getting hacked, and it seems no one knows whats going on.  im gonna tell you whats going on.   i faught the worm due to being the target to take the fall since aug 2008.  i am the command and control center for the botnet.  this is what you must KNOW.   first note is to be aware the conficter worms were decoys to take the blame.  the main worm is all conficters combined and is also undetectable.   when you turn your machine on, it is running(even with no operating system).   it starts off by injecting radio packets into the motherboard through a flaw using INTEL chip or lan pin(possibly also a universal chip).   the original hacker used phone towers and a smartphone.  my phone system still injects dual band packets into everyone i call spreading the worm.  they detect their phone screwing up.   after this, he installs a backdoor into an area of the motherboard what the worm calls global.    the worm gathers info, and sends it back to the hacker.  the hacker then goes down a list of exploits using an open port(mostly 80).  once in, he alters your drivers to all your hardware(bind).  he sets up firmwares/kernel/bios/os/first master boot record, memory, in such a way where it runs independant of your operating system.  once this happens,  you wont be able to update drivers aka graphics/audio/lan(used as keyloggers and more).   

    when you get that lag that freezes your machine for a small time, then works for a smaller time(repeating) constantly(and last  for days), its not the operating system, its in kernel or higher.  it seems as though timers are being altered.    at this point, cookies and smtp is used for communications between wormy and hacker.  the well dug in backdoor is set.  at this point, it does a lot more.  the dns disconnects for one.  popups and strange behaviors, mouse pointer jumping and so forth.    at this point, no security will stop it.  if you put on a firewall for example, it uses both sides to break through, and when failing, the hacker uses the  first connection(from motherboard), and creates a cert for your firewall website.  you get an incoming cookie.    block/allow/view info doesnt matter.  the worm intercepts the packets and recieves instructions  and can break any security.  the worm uses smtp to respond to the hacker.  wormy uses codes in subject telling the hacker the source(computer).  he uses a word with dollar signs before and after.  for me, it was $chicago$(computer hacking), and $danielle$(phone hacking).     the hacker uses cookies to send commands to the backdoor.      this is just the begining. 

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.