by AMIR EFRATI And SIOBHAN GORMAN
June 2, 2011
Google Inc. said Chinese hackers targeted the email accounts of senior U.S. officials and hundreds of other prominent people in a fresh computer attack certain to intensify growing concern about the security of the Internet.
The victims, including government and military personnel, Asian officials, Chinese activists and journalists, were tricked into sharing their Gmail passwords with "bad actors" based in China, Google said in an unusual blog post. The attack's goal was to read and forward the victims' email.
The company, which in 2010 blamed China for an attack on its computer networks, said it recently discovered the Gmail campaign, which "appears to originate from Jinan, China," and targeted specific individuals.
In Washington, the Federal Bureau of Investigation and Department of Homeland Security said they were working with Google to investigate the attacks. "We have no reason to believe that any official U.S. government email accounts were accessed," said Caitlin Hayden, a spokeswoman for the National Security Council.
Jinan, a large city about 250 miles south of Beijing, is home to one of the People's Liberation Army's technical reconnaissance bureaus, which serve as arms of China's equivalent of the National Security Agency, according to a 2009 report from a committee created by Congress to study China.
The goal of the latest hijacking campaign "seems to have been to monitor the contents of the these users' emails" wrote Eric Grosse, an engineering director on Google's security team, in Wednesday's blog post. He said Google's system wasn't hacked, rather users were duped. He said the company notified victims of the hijackings, secured their accounts and "notified relevant government authorities."
Google, which claims more than 200 million users for its free, Web-based Gmail email service, declined to comment on the identities of the affected individuals, how it traced the attacks to Jinan or who may be behind the incident.
The latest attack continues a troubling wave of incidents involving corporate and government computer networks, which have exposed private information of millions users and raised fears about the safety of government secrets. Last week, defense contractor Lockheed Martin Corp. said it had detected a significant attack against its computer networks.
A Microsoft Corp. spokesman said the company wasn't aware of any similar attacks targeting the customers of its Hotmail email service, but added "phishing attacks are a persistent industry challenge." A Yahoo Inc. spokeswoman declined to comment on whether Yahoo users were similarly targeted but said "we take security very seriously and we would take appropriate action in the event of any kind of breach."
Google's latest disclosure didn't mention the possibility of involvement by the government of China. Google's systems have been repeatedly targeted by Chinese hackers since the successful attack in December 2009, said a person familiar with the matter. Chinese officials have denied any connection to attacks on Google or other companies.
By disclosing the latest attacks originated in Jinan and targeted U.S. officials, Chinese human-rights activists and other people "who would only be of interest to the Chinese government," it appears "Google is pointing their finger at them," said Alex Stamos, chief technology officer at security firm iSEC Partners.
Jinan is also home to the Shandong Jinan Lanxiang Vestibule School, a vocational school that teaches computer training. The school has been a source of past attempts to launch targeted email attacks on a defense contractor, said James Mulvenon, a cybersecurity specialist who focuses on China.
The school at one point held the Guinness world record for having the largest number of people online, Mr. Mulvenon noted. "If I were looking for a place to use as cover [for an attack], this would be a good place," he said.
A woman who answered the phone in the administrative office of the school said the issue had nothing to do with the school.
In response to the 2009 attack, Google in 2010 moved its mainland Chinese search service to Hong Kong and stopped obeying the Chinese government's requirement to censor results, which Google had been following since 2006. China's own Internet filters now censor Google's searches for users in China.
Eric Schmidt, Google's chairman, said Tuesday the company has made improvements to its security systems since the 2009 attack. "Google is massively more protected than we were a year ago," he said, during an interview at the The Wall Street Journal's "D9: All Things Digital" conference.
Mr. Schmidt said Google had discovered "lots of other companies were attacked in similar ways," suggesting many firms don't report such incidents. "It is better to be transparent about these things," he said.
Google's latest blog post said that to uncover the phishing campaign, the company partly relied on a public blog post by an independent researcher, Mila Parkour, who wrote in February that Gmail users were being targeted and posted examples.
In a post on Feb. 17 on her website, called Contagio Malware Dump, Ms. Parkour wrote that the attack "is far from being new or sophisticated" but she wanted to post information about it "due to the particularly invasive approach."
Victims of the attack received "spoof" emails from what appeared to be their trusted contacts or employees of the U.S. State Department or Defense Department, she said. The emails had links to a fake Gmail login page that the scammers used to collect the users' passwords once they tried to log in again.
The targeted recipients were "government and non government employees working on questions of defense, political affairs, national security, defense/military personnel," she said, adding the campaign began more than a year ago.
Phishing attacks account for about 20% to 30% of email hijackings, estimated Mr. Stamos. "Spear phishing," which targets specific individuals, is harder for companies to detect, he added. He expects Gmail's new security upgrades, which help prevent such attacks by letting Google recognize the user's primary mobile device or computer that is used to access the account, will become a standard among online email providers.