The sophisticated, targeted cyberattack originated from China and “resulted in the theft of intellectual property from Google,” the search giant disclosed in a Jan 12 blog post. Much of the other details about the attack have remained a mystery.
Citing an unnamed person with direct knowledge of the investigation, the Times reported on Monday that those behind the attack managed to steal Google's password system, code-named Gaia, which controls millions of users' access to all of Google's web services, including email and other business applications.
The intruders did not steal the passwords of Gmail users, the report stated. But Google reportedly still uses the Gaia system, which now is called Single Sign-On.
A Google spokesman declined to comment on the new details of the intrusion when contacted by SCMagazineUS.com on Tuesday. He directed any questions to Google's initial blog post about the attack and a second post in March describing the company's decision to end censorship in China due to the incident.
Experts familiar with the intrusion have said it was an example of a sophisticated type of cyberattack called the advanced persistent threat (APT). These ploys use customized malware to exploit zero-day vulnerabilities and surreptitiously break into organizations with the goal of stealing trade secrets and gaining continued intelligence about victims.
According to the Times report, the attack on Google was initiated when intruders sent an instant message via Microsoft Messenger to a Google employee working in China. The message contained a link to a malicious website, which, when clicked, allowed attackers to gain access to a Google employee's personal computer.
Using this initial entry, attackers then gained access to the computers of a group of Google software developers for the Gaia program. The intruders then used other sophisticated hacking techniques to access and gain control of a software repository where the source code for the Gaia program was stored.
The stolen code was then transferred to computers owned by Rackspace, a cloud and managed hosting provider, before being sent to an unknown location.
For more information about APT attacks, see the upcoming May issue of SC Magazine.