While Google called a cyber-attack against its network last January a highly sophisticated and targeted attack, security experts said the techniques show the attackers to be nothing more than amateurs.
According to a report that cybersecurity firm Damballa released Tuesday, the China-based Aurora hackers who targeted Google were more varied in their tactics and less advanced than early reports indicate.
The report could be a blow to Google's efforts to classify the attack as state-sponsored, giving it considerably less leverage as it attempts to negotiate with China about its continued operations in the country.
Damballa links the attacks to a group of botnets--collections of computers compromised with hidden software--that used software it said were over 5 years old, and deploying techniques it described as old school.
The threat originally disclosed by Google...has frequently been associated with state-endorsed attacks and many vendors have explained the operation using a military vernacular, said commented Gunter Ollmann, vice president of research for Damballa.
Based on a thorough analysis of deeper data surrounding the attacks and examination of both malware and CnC topologies used by the criminals behind the attacks, it appears that Aurora can be best classified as just another increasingly common botnet attack and one that is more amateur than average.
On January 12, Google said the hackers had compromised their networks and tried to access the Gmail email accounts of Chinese human rights activists. It has since threatened to stop censoring its search results in China, and even pulling its operations out of the country.
Google's threats imply the hacking was state-sponsored, but Damballa believes the methods were too crude to be employed by a state actor.
This botnet has a simple command topology and makes extensive use ofDynamic DNS (DDNS) [command and control] techniques, the report reads.
The construction of the botnet would be classed as 'old-school', and is rarely used by professional botnet criminal operators any more. Reliance upon DDNS CnC is typically associated with new
and amateur botnet operators.
Citing company policy, Google would not comment on the on-going investigation.