US analysts believe a Chinese freelance security consultant with government ties was the author of the code used in cyberattacks on Google and other companies, the Financial Times reported on Monday.

The Wall Street Journal reported meanwhile that a prominent Asian hacking group that is likely Chinese may have been the perpetrators of last year's attacks on the Internet giant and as many as 33 other companies.

The FT, citing an unidentified researcher working for the US government, said a Chinese security consultant in his 30s wrote the part of the program that used a previously unknown security hole in Microsoft's Internet Explorer Web browser to break into computers and insert spyware.

The newspaper said Chinese officials had special access to the work of the author, who posted pieces of the program to a hacking forum.

The man is not a full-time Chinese government worker and did not launch the attacks, the newspaper said, adding that he would "prefer not be used in such offensive efforts."

"If he wants to do the research he's good at, he has to toe the line now and again," the US analyst said. "He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing.

"The state has privileged access to these researchers' work."

The FT also repeated claims made last week in The New York Times that the attacks had been traced to computers at Shanghai Jiaotong University and the Lanxiang Vocational School located in the eastern province of Shandong.

Both institutions have denied involvement, as have the Chinese authorities.

The Wall Street Journal said Monday that the group that attacked Google and others may have been involved in previous attacks tracked by intelligence and law-enforcement officials.

"It is the same folks that have been behind a hell of a lot of other attacks," the Journal quoted a person familiar with probes into some of the affected companies as saying.

The Journal said the group investigators are focusing on uses Chinese computer systems to mount its attacks and has a history of primarily attacking corporations -- not the US military or other government agencies.

The Journal said it is not clear whether the hackers have connections to the Chinese government or whether they are a "patriotic" hacking group that acts in the government's interests.

China has repeatedly denied involvement in the attacks, which have strained US ties and prompted Google to threaten to leave the country.

Google vowed in January to stop bowing to Web censors in China in the wake of the cyberattacks aimed at the US firm's source code and at Gmail accounts of Chinese human rights activists around the world.

Google continues to filter searches as per Chinese law while trying to negotiate a compromise with officials there.

US President Barack Obama said last month that he was "troubled" by the cyberattacks on Google and wants answers from China.

earlier related report
FTC warns firms, organizations of widespread data breach
Washington (AFP) Feb 22, 2010 - The US Federal Trade Commission (FTC) said Monday it has notified nearly 100 companies and organizations of data breaches involving personal information about customers or employees.

The FTC declined to identify the companies or organizations involved, but said they were both "private and public entities, including schools and local governments."

The companies and organizations ranged in size from "businesses with as few as eight employees to publicly held corporations employing tens of thousands," the FTC said in a statement.

It said sensitive data about customers and employees had been shared from the computer networks of the companies and organizations and made available on Internet peer-to-peer (P2P) file-sharing networks.

The information was accessible to "any users of those networks, who could use it to commit identity theft or fraud," the FTC said.

"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk," FTC chairman Jon Leibowitz said.

"For example, we found health-related information, financial records, and driver's license and social security numbers -- the kind of information that could lead to identity theft," Leibowitz said.

"Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure," he said.

"Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing," he added.

P2P file-sharing software is used in a variety of ways including for playing games, making online telephone calls or sharing music, video and documents.

Chris King, director of product marketing at California-based security firm Palo Alto Networks, said the sharing of sensitive company information over such P2P services as BitTorrent or Limewire was indeed often unintentional.

"People are not stealing identities, medical records, financial records and sticking them on these networks," King told AFP.

"In a lot of cases what's happening is someone who works for one of these organizations... will install an application on their laptop or desktop so they can get to music or movies or something like that," he said.

"Next thing you know a whole bunch of medical records are in the wild," he said. "It's not necessarily malicious from the get-go."

King said a study had found that P2P programs have a nearly 90 percent penetration rate in "enterprise organizations -- folks that have firewalls and all kinds of security mechanisms in place."

The FTC, in the notification letters to the companies and organizations, urged them to review their security practices "to ensure that they are reasonable, appropriate, and in compliance with the law."

"It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers," the letters stated.