In the wake of the highly publicised “highly sophisticated and targeted” attacks on Google, at least three major governments have issued advisories urging their citizens to switch browsers away from Microsoft Internet Explorer. A well-known security company has redesigned their web sites to include a large ominous “Operation Aurora” graphic (that links to trial downloads of pre-existing software). The attacks have been described as “changing the world” by the CTO of that same security company and as “something quite different” by Google.
How much of this is real, justified and proportionate?
So what do we know so far? Well according to Google “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google“. They go on to say “As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies“.
Subsequent external conjecture, comment and analysis has blamed unpatched vulnerabilities in Internet Explorer and also in Acrobat Reader, the malware involved has been identified both as variants of the Hydraq Trojan and also as new malware, dubbed by McAfee as Roarur.dr and as TROJ_PIDIEF.SHK. The attack vectors have been identified as mail with malicious PDF attachments and drive-by downloads.
Google, who were hit by the zero-day vulnerability in Internet Explorer, state that at least 20 other companies were victimised, and iDefense who have customers who were hit by the zero-day vulnerability in Acrobat Reader state that 33 companies were affected.
The motivation for the attack has been described both as an attempt to steal intellectual property and also as an attempt to breach the security of email accounts belonging to Chinese human rights activists. The attacks “appear to have been launched from at least six Internet addresses located in Taiwan” according to James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc
“Changing the world”? I say not.
The attacks are not the first to use zero-day vulnerabilities, in fact we have most often seen zero-day exploits being first used in targeted attacks before becoming more widely spread and widely abused.
The attacks are not the first to use drive-by download or malicious PDF attachments to achieve their goal.
The attacks are not the most complex multi-component system yet seen, you want complex, look at Koobface!
This is not the first time that warnings have been given to use alternative browsers until a patch becomes available.
This is not the first time that the finger has been pointed at China for a widespread globally distributed espionage attack.
There is no doubt that this attack, or these attacks are methodologically sophisticated. The bad guys were visibly successful at delivering their malicious payloads to the right people in the right companies to get access to things like source code and email accounts, but I don’t see anything here that changes the world.
Social engineering, lack of awareness of the threat landscape, a willingness to share too much information, the highly developed underground economy will all have contributed to the possibility and the success of these attacks.
What can companies and individuals do to try to avoid falling victim to these kinds of attack?
- Educate yourselves and your users, clicking a link is enough, opening a PDF is enough to infect you, even on a fully patched system.
- That being said make sure all applications and systems are fully patched, if that is not possible, use host-based intrusion prevention to “virtually patch” systems and to secure against zero-day exploits.
- When an unpatched vulnerability is identified be sure to follow vendor advice to minimise the risk as soon as possible.
- Encrypt valuable personal and intellectual property at file level, that way, even if it is stolen it is of limited value or use.
- Consider the deployment of data leakage prevention technologies that will recognise and stop sensitive content from leaving your network.
- Rethink your security model from an outside in approach, to an inside out one. Secure data, secure access rights, secure applications. Your perimeter only exists on a network diagram.
- At the risk of repeating myself, educate your users not to share too much personal information regarding employers, job roles, contact details. Currently far too many targets are far too visible.
- Don’t let Chicken Little run your security.