Washington Post Staff Writer
Wednesday, April 21, 2010
The hackers who penetrated the computer networks of Google and more than 30 other large companies used an increasingly common means of attack: duping system administrators and other executives who have access to passwords, intellectual property and other information, according to cybersecurity experts familiar with the cases.
“Once you gain access to the directory of user names and passwords, in minutes you can take over a network,” said George Kurtz, worldwide chief technology officer for McAfee, a Silicon Valley computer security firm that has been working with more than half a dozen of the targeted companies.
Kurtz and others said hackers are mounting ever more sophisticated and effective attacks that often begin with a ruse familiar to many computer users — a seemingly innocuous link or attachment that admits malicious software.
The attacks were publicized in January when Google, one of the world’s most advanced tech firms, announced that intruders had penetrated its network and compromised valuable intellectual property. Google asserted that the attacks originated in China; Chinese officials say they are investigating.
The New York Times reported on its Web site Monday that the Google theft included source code for a password system that controls access to almost all of the company’s Web services.
But the cyber-espionage campaign went far beyond Google, targeting companies with apparently strong intrusion-detection systems, including Adobe, Northrop Grumman and Yahoo, industry sources said.
A decade ago “it was the bad guys burrowing in, breaking through a firewall from the outside,” Kurtz said. “Now, in essence, what they’re doing is having good people on the inside unwittingly connect out to a malicious Web site where their machines can be infected.”
Once a hacker can impersonate a system administrator or a senior executive, it becomes difficult to identify the attackers. “Many of these other companies don’t know if source code has been stolen because the hackers have assumed the identities of people whose passwords have been stolen,” Kurtz said.
The hackers’ goal, industry officials and analysts said, is to obtain information that benefits China in strategic industries and in areas where the country seeks an advantage over U.S. firms.
“The bottom line here is if your company has any business dealings with China or has extremely valuable technology or intellectual property, you have a high likelihood of being a target,” said Rob Lee, a director with Mandiant, a security firm that is working with some of the targeted companies.
He said he believes the same group or groups that have targeted Google and the other companies have penetrated “hundreds if not thousands” more firms. They target not only system administrators but anyone with privileged access to a company’s network, he said.
Figuring out whom to target and how is the result of research, said Shawn Carpenter, a principal forensics analyst at the security firm NetWitness whose former job involved trying to hack into government agencies’ Web sites to help them find their weak spots. “One of the first things we do is build up a dossier,” he said. “What conferences has this person spoken at? What people do they know? Are they likely to open up this type of e-mail attachment if I spoof it as coming from a person who has sat on a panel with them?”
The essence of the attack is “exploiting those human tendencies of curiosity and trust,” Carpenter said.
The targeting of personnel is only one aspect of a larger, more sophisticated operation that involves planning the mode of attack, reconnaissance inside a company’s network, deciding what type of data to go after, and harvesting and analyzing the data, experts said.
“There’s a life cycle of activities that occurs, involving many steps, both with human intelligence and electronic intelligence, to ultimately penetrate these organizations,” said Eddie Schwartz, NetWitness’s chief security officer. “When you’re combining all of these techniques, this is the work of a highly organized group or groups that has specific targets in mind.”
Staff researcher Julie Tate contributed to this report.