When Google said yesterday that Jinan, China is the apparent origin of a worrying phishing attack against hundreds of people, including U.S government officials and Chinese human rights activists, it ignored at least two other attack sources referred by the expert who first called attention to that very attack.
The question is why Google homed in on Jinan (a city whose name is politically charged because it is a regional command center for China’s military, the People’s Liberation Army) and left out some other potential sources, which a key expert says included Korea and New York.
Jinan is also home to the Lanxiang Vocational School, which was the alleged source of a more serious cyberattack on Google in 2009, in which the attackers spied on human rights activists and which forced Google to pull out of China — this coming after years of tension-filled negotiations between Google and China to find a way to get along. So of course, when Google pinpoints Jinan as the apparent source, and provides no further back-up to its allegations, the assumption is that Google either thinks, or at least wants others to think, that this all stems from the same Chinese foes of the past, and maybe even from the Chinese government.
Now, Google didn’t say it was orchestrated by Beijing, but you can see why the Chinese government thinks it’s being singled out.
The truth is, we just don’t know why Google has focused on Jinan. But in light of the political sensitivity, it would be in Google’s interest to offer more details, if only to shield the company from criticism that it is playing hardball against China for political reasons, and suspicion that it hasn’t nailed down enough facts to back its assertion that this came from China.
Here’s what we know: Mila Parkour, the Washington-based IT specialist at the security specialists Contagio Malware Dump who first spotted the attacks three months ago, and wrote about it here, documented a series of attacks from various locations. These also included Korea and New York.
This has some other experts asking questions, including Mary Landesman, a respected senior security researcher at Cisco. I called her up to ask her point of view of the attacks, and she pointed out that the Contagio documentation alone is not enough to pinpoint Jinan as the source.
“The Jinan, China connection seems to be coming from fact that some phishing emails were sent through 163.com,” she says, “but if that’s evidence, then I think it’s worth questioning. That’s a funny email for cyber [activity].” The domain 163.com may be based in Jinan, but that doesn’t mean that’s where the attack really originated.
By way of explanation, if someone sends a phishing attack through a Gmail account, that doesn’t mean that the attack originated from Mountain View, California (the home of Google, which owns Gmail), she said.
There’s a difference between tracking email headers and extracting origin, she added. Especially since the U.S government is taking such a keen interest in this (see Secretary of State Hilary Clinton’s tough words on this today, and given recent report that the Pentagon may respond to cyber warfare with military force), it’s worth asking: Where’s the evidence?
The only real evidence contained in the Contagio report, Landesman added, is the spoofed Gmail page, which appears to have been lifted from Google Korea (more insight here about the techniques used). No one is saying Korea did it, but the attackers apparently forgot to change some links that pointed to Gmail Korea.
Google isn’t commenting on the story right now beyond its original post, but we’ve checked in with our sources at the company, and they say Google is basing its Jinan reference on security intelligence gathered on its own. The company doesn’t want to reveal how this was done. Google’s post merely said it relied on “user reports” as well the original Contagio report.
For now, we just don’t know, but because of the political ramifications, it sure would be helpful if Google were to reveal more facts.