Thursday, March 24, 2011

China and Google: A detailed look

Photo by Reuters
After weeks of frustration from Gmail users within China, Google has finally come out to accuse the Chinese government of being behind the interference that has prevented users from accessing the site.
This comes after a statement from Google on March 11th that it had "noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target".
The focus of this piece will be on this March 11th announcement, which has been overlooked or given briefer mention in articles. This is because much of the focus has looked at the general step-up of Internet censorship in China. The point of this exercise is to, with one example, give you a more detailed look at how creepy all of this stuff going on is.
While Google has not mentioned from which country these targeted activists were from, and did not answer Al Jazeera's query when we contacted them for more information, we have learned that at least some of the targets were in China, and that some of the perpetrators are also based in China.

The March 11th announcement from Google discussed a MHTML vulnerability that basically allows an invader to steal your cookie. In this case, a cookie is not a tasty treat, but a piece of valuable information. It's sort of your computer's way of connecting you to Gmail, and when someone steals your cookie, they can hijack your Gmail session, and the invader can then access your Gmail account and then do whatever he or she wants.
In early March, a foreign correspondent based in China received an email from a user by the name of, claiming to have pictures related to China's "Jasmine Revolution". Now, journalists are not activists, but it appears this email was sent to people who were either invested in or interested in calls for a "Jasmine Revolution." Also, some people in China do view foreign journalists as activists, not convinced we actually only report the news, so it could have made sense for the perpetrators to target journalists.
I am going to show a hoax "Jasmine Revolution" email I myself have received from that time:
File 17471
Without going into the technical details, the idea is to lure the recipient to click on Moli Hua, which is the word "jasmine" in Chinese. Then, all sorts of bad things happen in your cyber world.
The email from was analysed by Greg Walton, director of metaLab Asia, a cyber intelligence lab. With a programme called Cytoscape, which was originally a software used for analysing DNA, Walton analysed where the malware attack came from.
Walton determined that the malware from takes advantage of the same MHTML vulnerability mentioned in the Google post from March 11th. Take a look at this nifty visual showing how everything is connected:
File 17491
In the visual, you'll notice the server hosting this malware is the responsibility of an entity known as DYX NOC with this IP address: In other words, some place in Tsuen Wan, Hong Kong. Walton tells Al Jazeera he suspects this IP address has links back to cyber criminal operators in Beijing. (Walton informed Hong Kong authorities about this attack, by the way, on March 22nd.)
You'll also notice that once your cookie is stolen, the information is delivered to the following three Gmail addresses:,, and
I honestly hope that Google has closed down all these accounts, because hackers are using them. I also hope Google will give the public more clarification on their March 11th blog posting soon. It would be good to know whether the activists Google mentioned were in China. And if not, it looks like activists in at least more than one country are being targeted with this complex piece of malware.
**If reading this has suddenly made you feel less safe about using Gmail or about cloud computing in general, know that Google has recently unveiled a 2-step verification system to access your account. It's unwieldy, but Walton recommends you use this new authentication scheme if you'd like the best possible security against anyone accessing your account.
Post a Comment