The recent attack on Google, as well as more than 33 Silicon Valley companies, is a watershed moment in the history of cyber-crime. Firstly, Microsoft has confirmed that the attack took advantage of a zero-day vulnerability in Internet Explorer, which is extremely rare. Secondly the "highly sophisticated and targeted attack" was only sent to senior technology leaders who had access to core pieces of intellectual property, source code, et cetera, with the objective of remaining undetected. Thirdly, Google is sufficiently confident with the evidence in the case that they have alleged that it was carried out by agents possibly working on behalf of the Chinese government.
This attack lays bare the degree to which China and the United States are engaged in daily cyber-battles costing billions of dollars a year. In the shadows on the Internet, it is impossible to determine the difference between a cyber-criminal and a state-sponsored cyber-spy, especially because the Internet allows hackers to crisscross borders and time zones in seconds.
This is not the first time Beijing has been accused of state-sponsored espionage. Over the past five years, China has been implicated in dozens of attacks involving commercial, government and military targets. In April 2009, it was revealed that computer spies had broken into the Pentagon's $300 billion Joint Strike Fighter project, and were able to copy and siphon off several terabytes of data related to design and electronics systems.
What is different in this instance is that Google engineers were able to take control of a server in Taiwan that was the source of the attack, and show that not only American defence and high-technology companies had been targeted, but also human rights activists. In addition, the level of sophistication of the attacks, exploiting multiple attacks against multiple targets, including a vulnerability that Microsoft hadn't yet patched, suggest an extremely well funded and experienced team of hackers. And they have not been linked to any Internet banking fraud schemes!
“Everything we are learning is that in this case the Chinese government got caught with its hand in the cookie jar,” said James A Lewis, a senior fellow at the Centre for Strategic and International Studies in Washington, who consulted for the White House on cyber-security last spring. “Would it hold up in court? No. But China is the only government in the world obsessed about Tibet, and that issue goes right to the heart of their vision of political survival and putting down the separatists' movements.”
While this cyber-attack was targeted at a highly specific group of people, there has already been source code published on the Internet to enable hackers to utilise this attack vector. This means that anybody making use of Internet Explorer could be vulnerable. In response, the German Federal Office for Security in Information Technology (known as BSI) has recommended that all Internet Explorer users switch to an alternative browser. They may resume using Explorer after a fix is issued by Microsoft for the critical vulnerability.
This is not a solution that is friendly to ongoing business operations and what is really needed is a more strategic approach. What's needed is a security approach that focuses on continuous monitoring of networks and data, not one based solely on prevention. It is critical that organisations have in-depth incident response capabilities in order not only to detect when an attack is under way, but also to be able to respond when a sophisticated attack of this nature is detected.
There is a chronic shortage of skilled personnel able to staff and manage these kinds of incident response and security operations centres. For this reason the Information Security Group of Africa has partnered with TERENA and the European Network and Information Security Agency to host a workshop to develop the knowledge and skills that are needed by staff who are members of a Computer Security Incident Response Team.
Share
