Sophistication, severity of attacks on Google raise visibility of advanced persistent threat

The recently disclosed hacking attacks suffered by Google and many other companies are noteworthy not just for the high profile of the victims, but also for the sophistication of the attacks, which have been described as a combination of highly targeted phishing attempts coupled with exploits of software vulnerabilities in popular programs Microsoft Internet Explorer (to be clear, while Microsoft has acknowledged IE vulnerabilities were likely used, no confirmation exists that Adobe products were exploit vectors in the attack; iDefense originally asserted that Adobe Reader was used to effect the attack, but upon further investigation subsequently withdrew their claim). Even without the use of zero-day exploits in the attacks, the specificity of the phishing messages and the recipients to whom they were addressed apparently greatly enhanced the success of the attack. The reported use of different malware payloads sent to different intended victims and the advance step of gathering specific recipient email address lists both differentiate these “spear-fishing” attacks from run-of-the-mill phishing attempts using mass distribution.

Some security experts have pointed to the Google-China incident as the most visible recent example of the “advanced persistent threat,” in this case represented by whatever hacking capacity (whether explicitly government-sponsored or otherwise) was able to carry out the attacks. Taosecurity blogger Richard Bejtlich is among the leading online voices drawing attention to the problem of the advanced persistent threat, having noted in the past that even where this sort of threat is acknowledged it is not always specifically identified or described with the same terminology. As described by security services and incident response product vendor Mandiant, the advanced persistent threat is characterized more by its “perseverance and resources” than by its use of special or unique attacks, requiring a commensurate level of sustained defensive and responsive activity from organizations targeted by the advanced persistent threat. The attacks on Google show evidence of significant resources dedicated preparing for and executing intrusions, and perhaps more troubling show a level of creativity in crafting new and unique attacks that may them even harder to defend against. Lastly, the key weaknesses exploited in the attacks on Google and others were not in the target organizations’ network or systems infrastructure, but instead were both human (user) and technical vulnerabilities exploited through ancillary attack vectors. The continued analysis of and response to this incident, including the U.S. intention announced by the State Department to issue an official protest, suggests that these attacks have raised the bar on cybersecurity, likely for the foreseeable future. Only time will tell if this results in permanent, tangible changes in the use of tools, tactics, or approaches on cybersecurity.