Skip to main content
Part of complete coverage on

Study: Google-China attack driven by amateurs

By Kevin Voigt, CNN
The 'botnet,' or computer network used by hackers to deploy the Google attack, used software code that was five years old -- ancient by programming standards.
The 'botnet,' or computer network used by hackers to deploy the Google attack, used software code that was five years old -- ancient by programming standards.
  • Study: Google-China computer attack appears to have been deployed by amateurs
  • The "botnet" used to deploy attack used unsophisticated software with five-year-old code
  • Researcher: "I would say this particular botnet group was not well funded" or state-sponsored

Hong Kong, China (CNN) -- The computer attack which led Google to threaten leaving China and created a firestorm between Washington and Beijing appears to have been deployed by amateurs, according to an analysis by a U.S. technology firm.

"I would say this particular botnet group was not well funded, in which case I would not conclude they were state sponsored, because the level of the tools used would have been far superior to what it was," said Gunter Ollmann, vice president of research at Damballa, an Atlanta-based company that provides computer network security.

However, Ollmann points out that the attackers -- who emanated from China -- could have been contracted by outside parties to launch the attack. And while the deployment of the attack wasn't sophisticated, the Internet Explorer software vulnerability it exploited to infiltrate Google was.

On January 12, Google charged that Chinese hackers targeted Google and more than 20 other Western companies in December and e-mail accounts of Chinese dissidents abroad had been compromised. As a result, Google threatened to pull its operations out of China, which has the most Internet users in the world.

The incident launched a diplomatic spat between Beijing and Washington, including a January 21 speech by U.S. Secretary of State Hilary Clinton on Internet freedom in which she decried an "information curtain" descending on the world.

McAfee Security Insights blog called the Google incident a "sophisticated, multi-vector attack."

Critics allege that the attacks were sponsored or condoned by the Chinese government, something Beijing has strongly denied. "I would like to emphasize that accusations that say the government support hacking activities are groundless and are of ulterior motives," said Qin Gang, spokesperson for the Ministry of Foreign Affairs, at a February 23 press conference.

This team launching the attack were unsophisticated amateurs
--Gunter Ollmann, Damballa vice president of research
  • China
  • Google Inc.
  • Censorship

On the face of it, research by Damballa appears to support Beijing's claims.

If the security hole in Internet Explorer was the smoking gun of the attacks, what Ollmann and his researchers looked at was "the occupants and driver of the getaway van," he said. They analyzed the global network of computers that attackers remotely used to deploy the attack, called a "botnet" -- computers that, unbeknownst to owners, are taken over remotely and used to spread malicious software, or malware.

What Damballa researchers found in the Google attack botnet was less '007' and more 'DIY,' using software that could be found and downloaded widely on the Internet. "This team launching the attack were unsophisticated amateurs," Ollmann said.

The botnet used in the attack began being tested in July, nearly six months before the attack, according to Damballa analysis.

He added, "Some of the codes within the malware were at least five years old" -- ancient, by software development standards. The attackers used technology "that had been abandoned by professional botnet operators years ago," he said.

The findings seem to support evidence that the attacks were promulgated by patriotic hackers in China rather than a government-sponsored conspiracy. But in the murky world of cybercrime, motives are often hard to pin down.

The program that took advantage of the flaw found in the Internet Explorer software has been traced to two educational institutions in China, including one with alleged close ties to the military, the Financial Times reported.

China dismisses these reports. "The two schools have issued clarification statements stating they are not involved in the Internet hackings," said Qin, the foreign affairs spokesperson, on February 23. "The reports on the hacking are completely not true and groundless."

Cybercrime experts say that governments sometimes direct or encourage illegal botnet operators to launch attacks. When Russia and Georgia fought in August 2008, there is evidence that outside groups were contracted to help launch cyber attacks on Georgia's information systems, said Eugene Spafford, a computer security specialist at Purdue University who has advised two U.S. presidents and numerous companies and government agencies

Added Ollmann, "The way that any small botnet operator profits is to extract valuable information that they sell, or the second route is to sell or rent the machines they have access to."

But a spokesperson for the Committee of the Chinese People's Political Consultative Conference -- China's powerful political advisory body -- told reporters Tuesday that China does not tolerate hackers.

"Chinese laws and regulations strictly prohibit hacker attacks of any kind, and have laid down legal punishment for those offenders," said Zhao Qizheng, according to state press. "I myself have been attacked by hackers, and I strongly detest hackers."