FBI Memos Reveal Cost of a Hacking Attack

A hacker attack on a company’s Web site can be costly, but exactly how much money it takes to repel and recover from a malicious strike is rarely disclosed by besieged companies.

laptop_nighttime_200.jpg
Emma Innocenti | Getty Images

But an attack several years ago on Google cost it $500,000, according to internal F.B.I. memos obtained by The New York Times through a Freedom of Information Act request. The documents also reveal some information about the attacker.

Last week PayPal, Visa and MasterCardtried to deflect a series of attempts to knock its Web sites offline by supporters of WikiLeaks after those companies suspended the processing of payments to the document-leaking Web site.

But in 2005, Google was battling the Santy worm, a bit of malicious software that caused infected computers across the globe to automatically enter search queries — so many, in fact, that Google was overwhelmed.

On Dec. 22, 2005, Google complained to the F.B.I. that the attack had slowed its search engine’s performance. For much of 2004 and 2005, Google had been plagued by variants of the worm, which used search queries to find vulnerable Web sites and deface them by exploiting a security hole in the community forum software, PHP Bulletin Board. Google had tried to filter queries containing phrases linked to the worm, but with limited success.

“As Google filters out certain string search phrases, within minutes, the subjects modify the search phrase to once again bypass Google’s filters,” an F.B.I. agent in San Francisco wrote to colleagues, recommending that an investigation be opened. Google’s efforts to stop the worm had unintended consequences of blocking legitimate searches, the agent wrote.

In a measure of the seriousness of the attack, Google devoted an entire engineering team to the battle at a cost of $500,000, a figure it arrived at by calculating the hours spent fighting the worm and the lost revenue, the report said. A year earlier, Google suffered a $100,000 loss from the MyDoom virus, which slowed or stalled Google’s search engine for several hours, according to documents from a separate F.B.I. investigation.

Although sizable, the damages are only a fraction of Google’s revenue for those years. In 2005, Google reported $6.1 billion in revenue.

Paul Judge, chief research officer for Barracuda Networks, a Web security company, said that it was rare for the monetary damages caused by hackers to become public. In fact, many companies never bother to calculate the total because they are too busy keeping the hackers at bay or they simply never report the incident to law enforcement out of embarrassment, he said.

In any case, Mr. Judge noted that the cost of an attack could rise quickly when the amount of time it took to clean up afterward, reconfigure firewalls and assess the initial response was included.

“Half a million dollars — you can get to that sum really quickly,” Mr. Judge said. “When an attack happens, it’s all hands on deck.”

In examining the software code used in one variant of the Santy worm, Google engineers found a potential lead to the attacker’s identity. In the code was embedded a Gmail address for a technical contact that the F.B.I. said might belong to the variant’s creator. That e-mail address was redacted from the document, as were the names of any Google employees who had spoken with the F.B.I.

The F.B.I. issued two subpoenas shortly thereafter for an individual or individuals to appear before a federal grand jury in San Jose, Calif. Those names were also redacted.

A few weeks later, Google had a change of heart. On Jan. 31, 2006, the F.B.I. noted that Google’s legal department told the agency that the company was no longer interested in any further investigation. “Inasmuch as Google is the victim and their assistance in the form of providing logs is necessary to pursue prosecution, it is recommended this case be administratively closed,” the F.B.I. agent wrote.