Google China Hack Stole Source Code

A security researcher believes that the Chinese hackers responsible for the Google attack managed to steal valuable source code

The Chinese hack of Google in January may be more serious than first thought, after George Kurtz, CTO of antivirus software maker McAfee, said that the hackers stole valuable source code, after they broke into the computers belonging to staff with privileged access.

Google Chief Legal Officer David Drummond wrote in a blog post 12 January that the attack on Google’s corporate infrastructure resulted in the theft of intellectual property from the search giant, though he declined to specify what the hackers stole.

Kurtz said he believes the hackers broke through the defences of at least 30 companies and maybe as many as 100. The common link? The hackers often attacked source code management software, or SCM, such as the system from Perforce Software that Google and a number of other companies employ in their operations.

According to Kurtz, hackers succeeded in stealing source code from several of their victims.

He also said the attackers would have had an opportunity to change the source code without the companies’ knowledge, although investigators had yet to find any evidence that the hackers made changes.

The dispute between China and Google expanded on two fronts on 2 March with the search giant suggesting to Congress that the issue of the attacks should be brought before the WTO (World Trade Organisation), while Sen. Dick Durbin threatened to introduce legislation that would slap civil or criminal liabilities on Internet companies that do not take steps to protect human rights.

After a 2 March hearing before the Senate Judiciary Subcommittee on Human Rights and the Law, chaired by Durbin, examined IT industry business practices in Internet-restricting countries, Bloomberg reported that the Obama administration is considering raising the issue before the WTO. The effort would force China to publicly discuss the issue.

Durbin, meanwhile, urged Internet companies to adopt the voluntary code of conduct known as the GNI (Global Network Initiative). The code of conduct regulates the actions of technology companies operating in countries that restrict the Internet. The GNI currently has only three members: Google, Microsoft, and Yahoo. The group has shown little progress.

“With a few notable exceptions, the information technology industry seems unwilling to regulate itself and unwilling even to engage in a dialogue with Congress about the serious human rights challenges the industry faces,” Durbin said in a statement. “As a result, I plan to introduce legislation that would require Internet companies to take reasonable steps to protect human rights or face civil or criminal liability.”

In February, Durbin sent letters to 30 technology companies asking them to join the GNI and seeking more information about their business practices in China. Only AT&T, McAfee and Skype have committed to discussing joining the GNI, while Websense has indicated that it will join if the membership fee is waived.

“Facebook, Twitter, HP [Hewlett-Packard] and Apple were all asked to testify [at the 2 March hearing] and refused. McAfee agreed to testify at [the] hearing but withdrew late last week,” said a statement on Durbin’s website.