Last Updated Apr 6, 2010 2:47 PM EDT
Shadows in the Cloud: An Investigation into Cyber Espionage 2.0 followed a group of Chinese hackers who used popular social media and blogging services to steal financial data, private emails, even missile codes. But unlike the recent Google attacks, which exploited a security flaw in Microsoft's (MSFT) Internet Explorer, these hackers used programs like Twitter and Google Groups exactly as they were designed.
"The hackers want to maintain constant control over a computer once they have compromised it," Nart Villeneuve, one of the report's principal authors, told me. To do this the hackers rely on command servers that can send and receive instructions from the hacked computers.
But sending information back and forth to a strange location in China can raise alarms, and security professionals often block the offending servers. So the hackers exploited Twitter feeds, Google Groups and Yahoo accounts to update compromised computers with new command and control servers.
These web tools were a proxy, posting tweets or messages with URLs linking back to the new command servers. Even if security professionals identified and blocked one of the hackers command servers, the group would just serve up a fresh one through an innocent seeming tweet.
These attacks, like the Google hack I previously covered, have been traced to Chinese universities, but never tied directly to an individual or the Chinese government. In some cases the hackers did use Yahoo Mail and Google Groups to send and host malware, but by and large Villeneuve says there isn't much these companies can do proactively to prevent hackers from misusing their services: "These hacker networks are pretty small, and they are using the services as they were designed."
Villeneuve says the companies identified were very responsive as soon as they were notified. "They were extremely helpful and most of these accounts are shut down now." The onus really lies with individual users to monitor their computers for breaches and to pay attention to activity, even from seemingly innocent sites.
By spreading their attacks across a dispersed network of social networks, blogging platforms and email accounts, the hackers were able to maintain constant control of the infected computers while passing below the radar of security pros. "It took me a while to realize what they were doing through these services," says Villeneuve, "even when I was looking at traffic from a computer I knew was compromised."