Google’s revelation of China-based hacker attacks against it and many other major companies shines the spotlight on today’s top Internet threat: the targeted attack.
In response to an assault that went after the Gmail accounts of Chinese human rights activists, Google yesterday made the jaw-dropping assertion that it would seek to stop censoring search results on its Google.cn site. If it can’t come to an agreement to do so with the Chinese government, which Google indirectly implicates as the source of the spying attempt, the company says it may shutter the site altogether.
The potential for Google to turn its back on one of the world’s most fought-for markets reflects the brazen nature of the attacks. At least 20 other major companies were also hit according to Google, and Adobe posted that it too was a target. Last night, Secretary of State Hillary Clinton posted a statement saying “we look to the Chinese government for an explanation.”
And it’s all because of targeted attacks.
As the name suggests, the carefully crafted assaults differ from the net-cast-wide malware most often seen. A targeted attack specifically selects its victim and generally sends an e-mail using that person’s name and perhaps business title. The body of the message might reference an attached list of business contacts, or describe it as an invoice, or use any other hook that would allay suspicion and convince the victim to double-click the attachment.
Opening the file launches the assault, which begins by hunting for a specific flaw in the software used to read that type of attachment. The Google attack likely used a .pdf attachment, according to antivirus maker F-Secure, and may have gone after the zero-day security hole that Adobe just patched up yesterday.
Zero-day flaws are pure gold for targeted attacks because there isn’t yet any patch available to fix the flaw. If the software is installed, it’s guaranteed to be vulnerable. And if a double-clicked poisoned e-mail attachment successfully exploits a zero-day flaw (or any other unpatched hole), it gets to run any command on the victim PC, such as installing a data-stealing Trojan. Adobe’s software has had more than its fair share of zero-days, but they also pop up in other programs such as PowerPoint.
At that point you can only hope that your antivirus program detects the threat, but then again the odds are in favor of the targeted attack. Part of the care that goes into crafting the attacks typically involves scanning them with multiple antivirus products to make sure they aren’t detected before sending them out.
For these most dangerous threats, the most common security advice – keep all your software patched, use a good antivirus program – won’t be of much use (though it will still go a long way towards protecting you against most threats). Using alternate programs for reading pdf’s and other common attack attachments can help, as can taking the manual step of checking with the supposed sender before opening an attachment. Again, targeted attacks are thankfully rare, but as Google, Adobe and the other victims here can attest, they sure do exist.
And they’ll certainly continue to be used. After all, it’s far easier to whip up a tailored piece of malware and send it in an e-mail than it is to get a human spy into a target company or government agency. Welcome to the age of digital espionage.