Chinese attacks like the one against Google are on pace to double this year

F-Secure CTO says it seems years of attacks are part of a single operation

Recent Internet attacks from China against Google and other U.S. companies will more than double this year if the pace during the first two months continues, a security expert says.

This type of attack has been increasing over the past two years, with F-Secure spotting 1,968 such examples in 2008, 2,195 in 2009 and 895 so far this year, said Mikko Hypponen, chief research officer for F-Secure, who during RSA Conference held a private briefing on the attacks.

Top 10 RSA Conference security innovators

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Recent Internet attacks from China against Google and other U.S. companies will more than double this year if the pace during the first two months continues, a security expert says.

This type of attack has been increasing over the past two years, with F-Secure spotting 1,968 such examples in 2008, 2,195 in 2009 and 895 so far this year, said Mikko Hypponen, chief research officer for F-Secure, who during RSA Conference held a private briefing on the attacks.

Top 10 RSA Conference security innovators

Unlike other malware attacks, these are fashioned for specific targets and are used only once. "In these cases, you are the only organizations in the world to get hit and no one else, and the attacker has done his homework," Hypponen said.

Operation Aurora, the attack against Google earlier this year, is one of thousands observed by security vendor F-Secure, but one of the few where the victim has made the incident public. Similar activity dates back at least six years targeting governments, businesses with military contracts, and non-governmental agencies advocating for human rights, he said.

Some human-rights groups are hit an average of 10 times per month, and one in particular has been attacked continuously since 2004, he said. "Whoever wants to gain access to these people's computers is very, very serious," Hypponen said.

While he has no smoking-gun evidence that China is behind the attacks, tying IP addresses to China and the massive scale and coordination of the attacks point to the Chinese government. He said it is curious that such attacks by other governments have not been sighted, given that they can be effective ways to glean information. That may be because they don't do it, or they do it in ways that are more stealthy, or perhaps they mask what they do behind Chinese IP addresses, he said.

The attacks are carried out by spear phishing someone in an organization with an e-mail that would be of professional interest. A PDF or other attachment to the e-mail contains malware that exploits a PDF weakness and launches a Trojan when the attachment is opened. The malware launch crashes the PDF reader, but the Trojan installs successfully. When the reader re-launches, a legitimate document opens, Hypponen said, making the victim think the Trojan launch and crash of the reader were just a glitch.

Hypponen showed examples of the phishing attempts. One e-mail message purportedly written by a CNN reporter seeks an interview with the e-mail recipient and says that the attached file contains a list of questions the reporter wants to ask.

In another case the e-mail was sent to a human rights organization, and the message said the attachment contained details about how such organizations were being targeted by phishing attacks that unleash malware from attachments.

Phishing messages in English and all European languages have been found within these e-mails, all written as if by native speakers of the languages. "Most of us would fall for these," Hypponen said.