VeriSign's iDefense security lab has published a report with technical details about the recent cyberattack that hit Google and over 30 other companies. The iDefense researchers traced the attack back to its origin and also identified the command-and-control servers that were used to manage the malware.
The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator.
Emphasis is my own, but I wanted to ensure that those reading this immediately saw that it was China behind these attacks.
Citing sources in the defense contracting and intelligence consulting community, the iDefense report unambiguously declares that the Chinese government was, in fact, behind the effort. The report also says that the malicious code was deployed in PDF files that were crafted to exploit a vulnerability in Adobe's software.
"The source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof," the report says.
In other words, these attacks weren't carried out by people who just-so-happened to be Chinese citizens; but were carried out by, or at least encouraged by, the Chinese government.
Later in the article, there's an update stating that it appears the attacks did not use specially crafted PDFs but most likely an unpatched vulnerability in Microsoft Internet Explorer.
I'd bet that there's probably a 0day exploit floating around for every 10 lines of code in IE. It's just pathetic. The single biggest recommendation that I offer all of my friends and family is to not use IE if they value their computer and it's data. I tell them that by using Firefox -- which is not without it's own security issues -- instead of IE, that it's the single most effective action they can take to avoid malware on their systems.
"The servers used in both attacks employ the HomeLinux DynamicDNS provider, and both are currently pointing to IP addresses owned by Linode, a US-based company that offers Virtual Private Server hosting. The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other," the report says. "Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July."
"six IP addresses apart" is probably within the same /28 or /29.
On my home network, I typically block all subnets handled by APNIC; using either Linux netfilter on the firewall, or regex pattern matching via Squid proxy. This is using a cannon to kill a mosquito, and would definitely not work in the enterprise, but it works fine for my own personal protection. I have no need to visit any sites hosted on APNIC addresses as I cannot read any language other than English.
Unfortunately, my tendency to block wide swaths of IP space would not have protected my home computers from becoming zombies in this attack. It appears that the C&C servers were hosted in the U.S.