Earlier this week Google announced that they had uncovered a very sophisticated and highly targeted attack that was traced and found to have originated in China. The mid-December attack specifically targeted Google accounts that were used by so-called human activists. Reports have stated that the email account address and the subject line of the emails may have been compromised (read by the hackers) but the body of the emails were not accessed. The investigation into the Google event quickly expanded and found 33 other organizations that experienced very similar security incidents. Organizations in the subsequent incidents were said to include those in Internet infrastructure, finance, technology, media and chemical sectors.
As news of the Google hack began to leak out, a group of hackers attacked Baidu, the main Chinese search engine, and shut down the site for about four hours. The attackers were able modify the DNS server data and refreshed the cache so the change took effect immediately. Anyone that typed in baidu.com into their browser were redirected to a site that displayed the Iranian national flag and the message: "This site has been hacked by the Iranian Cyber Army." The Iranian embassy in Beijing flat out rejected any speculation that Iran was behind the Baidu cyber attack. They went as far to warn that someone (U.S. undertone) may have use the attack to damage the relations between China and Iran.
Incident Analysis:
We believe these two incidents are connected. Using Scenario-Based Intelligence Analysis (SBIA) we have established the following as the most probable circumstances surrounding these two incidents. Groups of hackers within a cyber militia or cyber vigilantes became outraged by the attacks on the Internet IconGoogle. This would be characteristic of hacker behavior (retaliatory). Cyber vigilantes, taking matters into their own hands, may have launched the attack on DNS servers that redirected the Internet traffic from Baidu to a web site they had prepared with the Iranian flag and statement making it look like the attack was initiated by Iranians. Back in June of 2009 the Iranian Cyber Army was thought to be behind an attack on Twitter's DNS records in a defensive move to halt a DDoS by the opposition party after a highly contested election. The characteristics of this attack does not fit the operational profile of Irans cyber army.
The primary goal of the attacks from China was to access the Gmail accounts of Chinese human rights activists.
The attack was complex and technically sophisticated both hallmarks of past attacks attributed to China.
While Iran certainly has the capabilities to have carried out the Baidu attack, this type attack does not really fit into the Iranian cyber profile.
We may never know the real story behind both of these attacks. This is yet another example of the attribution problem we face when addressing the complex issues that arise when trying to discover who is really behind a cyber attack. This is a clear example of the blur of cyber war. Private sector targets of governments, militaries, terrorists and others complicate the issue of determining what constitutes an act of cyber war.
