Google (GOOG) disclosed Wednesday that hundreds of Gmail accounts, including those of senior U.S. officials and Chinese political activists, were targeted in a concerted hacking campaign originating from Jinan, China.
Unlike a series of cyber attacks from China last year, Google said the goal this time was not its own central systems, but the individual accounts of users of its e-mail service. The attacks, which Google said also targeted government officials in South Korea and other Asian nations, military personnel and journalists, were likely the result of “phishing” attempts, in which the attacker dupes users into sharing passwords.
There were no indications Wednesday that the latest round of attacks would prompt any change in Google’s operations in China. Nor was there evidence of Chinese government involvement, although some analysts speculated Chinese officials could be indirectly involved.
“We have more than 500 employees and hundreds of partners in China and we plan to continue to work there,” Google said in a written statement provided to this newspaper.
Google said the latest attacks, which gained access to an undisclosed number of accounts before they were detected, intended to spy on the private e-mail conversations of U.S. and foreign government officials, political dissidents,
journalists and others. The phishing campaign is being investigated by the FBI and other federal agencies.
“We are working with Google and other U.S. government agencies to review this matter further to identify the origin of this campaign and to see what information may have been compromised,” the FBI said in a written statement released Wednesday. Neither Google nor a FBI spokeswoman would comment on which senior U.S. officials were targeted.
This particuliar attack used a method called “spear phishing” in which the attacker uses small bits of real information to trick someone into sharing access to their email account. In this case, government officials received a message in their personal Gmail account that appeared to come from the address of a close associate or collaborating government agency, according to an analysis cited by Google as one way it discovered the latest Chinese attacks.
The messages were crafted to appear like they had an attachment with links such as “View Download” and a name of the supposed attachment. However, the bogus link led to a fake Gmail login page, which the cyber-criminals used to obtain passwords.
Google “did their own extensive investigation,” said Mila Parkour, who wrote the malicous software analysis cited by Google. “The attack started probably a year before if not longer.”
Google said in a posting to its official blog Wednesday afternoon that it had detected and disrupted “this campaign to take users’ passwords and monitor their emails,” and had already “notified victims and secured their accounts,” as well as alerting authorities.
“The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords” to gain access to Gmail accounts, the company said in its post. Google said it was not accusing the Chinese government: “We can’t say for sure who is responsible,” a Google spokesman said.
Last year’s cyber attacks broke into Google’s computer security infrastructure and resulted in the theft of the company’s intellectual property, allowing the attackers to gain access to the Gmail accounts of Chinese activists in the U.S. and other countries. According to an investigation by the New York Times, the attacks originated in several schools in Jinan province. That intrusion helped precipitate Google’s decision that it would no longer comply with the Chinese government’s rules that it censor politically sensitive results from its Internet search results. It moved its search service to Hong Kong.
Chinese government officials have vehemently denied involvement in earlier attacks.
Security experts who specialize in protection against cyberattacks that orginate in other countries said that even though the latest attacks targeted political activists, it may be impossible to ever prove whether the Chinese government played any role in the latest attacks.
In some cases, said Larry Ponemon of the Ponemon Institute, a Michigan-based computer security consulting company, the governments of China and other nations may shelter cybercriminals in exchange for the information they steal from U.S. networks or individual accounts. While many phishing campaigns target large groups in hopes of finding a few victims, these attacks targeted specific high-value targets.
“It could be a dark alliance where the syndicate is allowed to operate, reminiscent of the (historical) privateers that became pirates,” Ponemon said. “China is pretty bold. They are actually educating people to be really good hackers, to be really good cyber-criminals.”
Typically, Ponemon said, people may be slightly less guarded about their personal email accounts.
“They are going after people of consequence whose information might be valuable. That’s the scary part. ”
Parkour also believes it likely the Chinese government was involved.
The same people “are after sensitive corporate, military and government data,” she said in an email message. “They might be foreign government sponsored directly, on payroll, or indirectly, selling what they find to willing buyers.”
Google on Wednesday urged its users to take safety precautions such as using its two-step verification feature for Gmail, and to use a password that they would not use for any other account but Gmail.
Google “will never ask you to email your password or enter it into a form that appears within an email message,” the company said.