A leading security researcher today published perhaps the best evidence yet showing a link between Chinese hackers and the sophisticated cyber intrusions at Google, Adobe and a slew of other top U.S. corporations late last year.
In mid-December, Google discovered that its networks had been breached by attackers who appeared by coming from China. A Wall Street Journal article cited researchers saying the attacks — dubbed Operation Aurora — were launched from six Internet addresses in Taiwan, which experts say is a common staging ground for Chinese espionage.
While Google itself has said that the attacks “originated in China,” experts have been quick to point out that attackers commonly route their communications through faraway computers, and that the real attackers may be located anywhere in the world. But new clues about the origins of the malicious software that was used to exploit the as-yet unpatched Internet Explorer vulnerability suggest that the exploit was in fact assembled by Chinese programmers
The evidence comes from forensic work published today by Joe Stewart, director of malware research for Atlanta based managed security firm SecureWorks. Stewart said he found that a snippet of the source code used in the backdoor Trojan horse program planted by the exploit (called “Hydraq” by various anti-virus companies) matched a source code sample that was detailed in a Chinese-language white paper on mathematical algorithms used in electronics.
Stewart said a Google search for one of the key text strings in that code sample shows that it is virtually unknown outside of China, and that almost every page with meaningful content concerning the algorithm is written in Chinese.
Stewart deduces that the Aurora code base originated with someone who is comfortable reading simplified Chinese.
“Although source code itself is not restrained by any particular human language or nationality, most programmers [tend] to reuse code documented in their native language. To do otherwise is to invite bugs and other unexpected problems that might arise from misunderstanding of the source code’s purpose and implementation as given by the code comments or documentation.”
He concludes that the use of this unique programming implementation in Hydraq “is evidence that someone from within the [People’s Republic of China] authored the Aurora codebase. And certainly, considering the scope, choice of targets and the overwhelming boldness of the attacks (in light of the harsh penalties we have seen handed out in communist China for other computer intrusion offenses), this creates speculation around whether the attacks could be state-sponsored.”
Ironically, if indeed the code was developed by Chinese hacking groups or the Chinese government and intended for use as a weapon against American companies, Chinese Windows users may have the most to lose from the public exploitation of this vulnerability.
That’s because massive numbers of Internet users in China still use Internet Explorer 6, the version of IE most at risk from this flaw. According to current figures gathered by StatCounter, nearly 60 percent of computer users in China browse the Web with IE6 (see chart below). By comparison, StatCounter states that only about six percent of U.S.-based Internet users still browse the Web with IE6.
This becomes even more significant when you consider that the Aurora exploit is now showing up on hugely popular Chinese Web sites, said Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham. Warner shared evidence with krebsonsecurity.com that one of China’s most-visited anime sites was recently hacked and seeded with the Aurora exploit, serving those who visited with IE6 a Trojan that dropped at least 32 different malicious programs, including password stealers and tools used to enlist infected PCs in coordinated, distributed cyber attacks.
“Tens of thousands of people got hit by this, and the malware that got installed was just incredible,” Warner said. “There is just a lot of active exploitation going on in the Chinese market right now, and part of that is because there’s a much larger use of IE6 there than there is over in the United States.”
Microsoft said today that it plans to issue an emergency update on Thursday to address the Internet Explorer vulnerability. Krebsonsecurity.com will have more details on that update shortly after it is released, probably around 1 p.m. or 2 p.m. ET.