Chinese Hack Tracked Back to Two Universities and an IE Exploit

Investigators at the NSA have tracked the huge online attacks that Google used as their reason for leaving the Chinese market to two universities, one with ties to the Chinese military.

If supported by further investigation, the findings raise as many questions as they answer, including the possibility that some of the attacks came from China but not necessarily from the Chinese government, or even from Chinese sources.

Tracing the attacks further back, to an elite Chinese university and a vocational school, is a breakthrough in a difficult task. Evidence acquired by a United States military contractor that faced the same attacks as Google has even led investigators to suspect a link to a specific computer science class, taught by a Ukrainian professor at the vocational school.

So this could mean a couple of things. The Chinese government could be using this school as a front for its attacks. Or it could be the work of "patriotic hackers" in the school, one of the best computer programs in the world. Or the schools could have been used as a proxy by another country looking to put the blame on China.

But one thing is sure: the attacks took place through a newly-discovered Internet Explorer vulnerability.

Executives at Google have said little about the intrusions and would not comment for this article. But the company has contacted computer security specialists to confirm what has been reported by other targeted companies: access to the companies' servers was gained by exploiting a previously unknown flaw in Microsoft's Internet Explorer Web browser.

Forensic analysis is yielding new details of how the intruders took advantage of the flaw to gain access to internal corporate servers. They did this by using a clever technique - called man-in-the-mailbox - to exploit the natural trust shared by people who work together in organizations.

After taking over one computer, intruders insert into an e-mail conversation a message containing a digital attachment carrying malware that is highly likely to be opened by the second victim. The attached malware makes it possible for the intruders to take over the target computer.

This is why you should not be running IE 6.0, you lazy companies. [NY Times]