Operation Aurora
   HOME

TheInfoList



OR:

Operation Aurora was a series of
cyber attack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...
s conducted by
advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...
s such as the Elderwood Group based in
Beijing } Beijing ( ; ; ), alternatively romanized as Peking ( ), is the capital of the People's Republic of China. It is the center of power and development of the country. Beijing is the world's most populous national capital city, with over 21 ...
,
China China, officially the People's Republic of China (PRC), is a country in East Asia. It is the world's most populous country, with a population exceeding 1.4 billion, slightly ahead of India. China spans the equivalent of five time zones and ...
, with ties to the
People's Liberation Army The People's Liberation Army (PLA) is the principal military force of the People's Republic of China and the armed wing of the Chinese Communist Party (CCP). The PLA consists of five service branches: the Ground Force, Navy, Air Force, ...
. First publicly disclosed by
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
on January 12, 2010, in a
blog A blog (a truncation of "weblog") is a discussion or informational website published on the World Wide Web consisting of discrete, often informal diary-style text entries (posts). Posts are typically displayed in reverse chronological order ...
post, the attacks began in mid-2009 and continued through December 2009. The attack was aimed at dozens of other organizations, of which
Adobe Systems Adobe Inc. ( ), originally called Adobe Systems Incorporated, is an American multinational computer software company incorporated in Delaware and headquartered in San Jose, California. It has historically specialized in software for the crea ...
,
Akamai Technologies Akamai Technologies, Inc. is an American content delivery networkJ. Dilley, B. Maggs, J. Parikh, H. Prokop, R. Sitaraman, and B. Weihl. (CDN), cybersecurity, and cloud service company, providing web and Internet security services. Akamai's Inte ...
,
Juniper Networks Juniper Networks, Inc. is an American multinational corporation headquartered in Sunnyvale, California. The company develops and markets networking products, including routers, switches, network management software, network security products, ...
, and
Rackspace Rackspace Technology, Inc. is an American cloud computing company based in Windcrest, Texas, an inner suburb of San Antonio, Texas. The company also has offices in Blacksburg, Virginia, and Austin, Texas, as well as in Australia, Canada, United ...
have publicly confirmed that they were targeted. According to media reports,
Yahoo Yahoo! (, styled yahoo''!'' in its logo) is an American web services provider. It is headquartered in Sunnyvale, California and operated by the namesake company Yahoo! Inc. (2017–present), Yahoo Inc., which is 90% owned by investment funds ma ...
, Symantec,
Northrop Grumman Northrop Grumman Corporation is an American multinational aerospace and defense technology company. With 90,000 employees and an annual revenue in excess of $30 billion, it is one of the world's largest weapons manufacturers and military techn ...
,
Morgan Stanley Morgan Stanley is an American multinational investment management and financial services company headquartered at 1585 Broadway in Midtown Manhattan, New York City. With offices in more than 41 countries and more than 75,000 employees, the fir ...
, and
Dow Chemical The Dow Chemical Company, officially Dow Inc., is an American multinational chemical corporation headquartered in Midland, Michigan, United States. The company is among the three largest chemical producers in the world. Dow manufactures plastics ...
were also among the targets. As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all," and acknowledged that if this is not possible, it may leave China and close its Chinese offices. Official Chinese sources claimed this was part of a strategy developed by the U.S. government. The attack was named "Operation Aurora" by
Dmitri Alperovitch Dmitri Mikhailovich Alperovitch (born 1980) is a Soviet-born American think-tank founder, investor, philanthropist, podcast host and former computer security industry executive. He is the chairman of Silverado Policy Accelerator, a geopolitics th ...
, Vice President of Threat Research at cybersecurity company
McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...
. Research by McAfee Labs discovered that "Aurora" was part of the
file path A path is a string of characters used to uniquely identify a location in a directory structure. It is composed by following the directory tree hierarchy in which components, separated by a delimiting character, represent each directory. The del ...
on the attacker's machine that was included in two of the
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
binaries A binary file is a computer file that is not a text file. The term "binary file" is often used as a term meaning "non-text file". Many binary file formats contain parts that can be interpreted as text; for example, some computer document fil ...
McAfee said were associated with the attack. "We believe the name was the internal name the attacker(s) gave to this operation," McAfee Chief Technology Officer George Kurtz said in a blog post. According to McAfee, the primary goal of the attack was to gain access to and potentially modify
source code In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the wo ...
repositories at these high-tech, security, and defense contractor companies. " SCMs.html" ;"title="Version_control.html" ;"title="/nowiki>The Version control">SCMs">Version_control.html" ;"title="/nowiki>The Version control">SCMs/nowiki> were wide open," says Alperovitch. "No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways—much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting."


History

On January 12, 2010, Google revealed on its blog that it had been the victim of a cyber attack. The company said the attack occurred in mid-December and originated from China. Google stated that over 20 other companies had been attacked; other sources have since cited that more than 34 organizations were targeted. As a result of the attack, Google said it was reviewing its business in China. On the same day, United States Secretary of State Hillary Clinton issued a brief statement condemning the attacks and requesting a response from China. On January 13, 2010, the news agency All Headline News reported that the United States Congress plans to investigate Google's allegations that the Chinese government used the company's service to spy on human rights activists. In
Beijing } Beijing ( ; ; ), alternatively romanized as Peking ( ), is the capital of the People's Republic of China. It is the center of power and development of the country. Beijing is the world's most populous national capital city, with over 21 ...
, visitors left flowers outside of Google's office. However, these were later removed, with a Chinese security guard stating that this was an "illegal flower tribute". The Chinese government has yet to issue a formal response, although an anonymous official stated that China was seeking more information on Google's intentions.


Attackers involved

Technical evidence including IP addresses, domain names, malware signatures, and other factors, show Elderwood was behind the Operation Aurora attack. The "Elderwood" group was named by Symantec (after a source-code variable used by the attackers), and is referred to as the "Beijing Group" by Dell Secureworks. The group obtained some of Google's source code, as well as access to information about Chinese activists. Elderwood also targeted numerous other companies in the shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors. The "APT" designation for the Chinese threat actors responsible for attacking Google is APT17. Elderwood specializes in attacking and infiltrating second-tier defense industry suppliers that make electronic or mechanical components for top defense companies. Those firms then become a cyber "stepping stone" to gain access to top-tier defense contractors. One attack procedure used by Elderwood is to infect legitimate websites frequented by employees of the target company – a so-called "water hole" attack, just as lions stake out a watering hole for their prey. Elderwood infects these less-secure sites with malware that downloads to a computer that clicks on the site. After that, the group searches inside the network to which the infected computer is connected, finding and then downloading executives' e-mails and critical documents on company plans, decisions, acquisitions, and product designs.


Attack analysis

In its blog posting, Google stated that some of its
intellectual property Intellectual property (IP) is a category of property that includes intangible creations of the human intellect. There are many types of intellectual property, and some countries recognize more than others. The best-known types are patents, cop ...
had been stolen. It suggested that the attackers were interested in accessing
Gmail Gmail is a free email service provided by Google. As of 2019, it had 1.5 billion active users worldwide. A user typically accesses Gmail in a web browser or the official mobile app. Google also supports the use of email clients via the POP an ...
accounts of Chinese
dissidents A dissident is a person who actively challenges an established political or religious system, doctrine, belief, policy, or institution. In a religious context, the word has been used since the 18th century, and in the political sense since the 20th ...
. According to the ''
Financial Times The ''Financial Times'' (''FT'') is a British daily newspaper printed in broadsheet and published digitally that focuses on business and economic current affairs. Based in London, England, the paper is owned by a Japanese holding company, Nik ...
'', two accounts used by
Ai Weiwei Ai Weiwei (, ; born 28 August 1957) is a Chinese contemporary artist, documentarian, and activist. Ai grew up in the far northwest of China, where he lived under harsh conditions due to his father's exile. As an activist, he has been openly c ...
had been attacked, their contents read and copied; his bank accounts were investigated by state security agents who claimed he was under investigation for "unspecified suspected crimes". However, the attackers were only able to view details on two accounts and those details were limited to things such as the subject line and the accounts' creation date. Security experts immediately noted the sophistication of the attack. Two days after the attack became public, McAfee reported that the attackers had exploited purported zero-day vulnerabilities (unfixed and previously unknown to the target system developers) in
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
and dubbed the attack "Operation Aurora". A week after the report by McAfee,
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
issued a fix for the issue, and admitted that they had known about the security hole used since September. Additional vulnerabilities were found in
Perforce Perforce, legally Perforce Software, Inc., is an American developer of software used for developing and running applications, including version control software, web-based repository management, developer collaboration, application lifecycle man ...
, the source code revision software used by Google to manage their source code.
VeriSign Verisign Inc. is an American company based in Reston, Virginia, United States that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the , , and gener ...
's iDefense Labs claimed that the attacks were perpetrated by "agents of the Chinese state or proxies thereof". According to a diplomatic cable from the U.S. Embassy in Beijing, a Chinese source reported that the Chinese Politburo directed the intrusion into Google's computer systems. The cable suggested that the attack was part of a coordinated campaign executed by "government operatives, public security experts and Internet outlaws recruited by the Chinese government." The report suggested that it was part of an ongoing campaign in which attackers have "broken into
American government The federal government of the United States (U.S. federal government or U.S. government) is the national government of the United States, a federal republic located primarily in North America, composed of 50 states, a city within a feder ...
computers and those of Western allies, the
Dalai Lama Dalai Lama (, ; ) is a title given by the Tibetan people to the foremost spiritual leader of the Gelug or "Yellow Hat" school of Tibetan Buddhism, the newest and most dominant of the four major schools of Tibetan Buddhism. The 14th and current Dal ...
and American businesses since 2002." According to
The Guardian ''The Guardian'' is a British daily newspaper. It was founded in 1821 as ''The Manchester Guardian'', and changed its name in 1959. Along with its sister papers ''The Observer'' and ''The Guardian Weekly'', ''The Guardian'' is part of the Gu ...
's reporting on the leak, the attacks were "orchestrated by a senior member of the Politburo who typed his own name into the global version of the search engine and found articles criticising him personally." Once a victim's system was compromised, a backdoor connection that masqueraded as an SSL connection made connections to
command and control Command and control (abbr. C2) is a "set of organizational and technical attributes and processes ... hatemploys human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization or en ...
servers running in Illinois, Texas, and Taiwan, including machines that were running under stolen
Rackspace Rackspace Technology, Inc. is an American cloud computing company based in Windcrest, Texas, an inner suburb of San Antonio, Texas. The company also has offices in Blacksburg, Virginia, and Austin, Texas, as well as in Australia, Canada, United ...
customer accounts. The victim's machine then began exploring the protected corporate intranet that it was a part of, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories. The attacks were thought to have definitively ended on Jan 4 when the command and control servers were taken down, although it is not known at this point whether or not the attackers intentionally shut them down. However, the attacks were still occurring as of February 2010.


Response and aftermath

The German, Australian, and French governments publicly issued warnings to users of Internet Explorer after the attack, advising them to use alternative browsers at least until a fix for the security hole was made. The German, Australian, and French governments considered all versions of Internet Explorer vulnerable or potentially vulnerable. In an advisory on January 14, 2010, Microsoft said that attackers targeting Google and other U.S. companies used software that exploits a hole in Internet Explorer. The vulnerability affects Internet Explorer versions 6, 7, and 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4. The Internet Explorer exploit code used in the attack has been released into the public domain, and has been incorporated into the Metasploit Framework penetration testing tool. A copy of the exploit was uploaded to Wepawet, a service for detecting and analyzing web-based malware operated by the computer security group at the University of California, Santa Barbara. "The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," said George Kurtz, CTO of McAfee, of the attack. "The now public computer code may help cybercriminals craft attacks that use the vulnerability to compromise Windows systems." Security company
Websense Forcepoint, an American multinational corporation software company headquartered in Austin, Texas, that develops computer security software and data protection, cloud access security broker, firewall and cross-domain solutions. Forcepoint was fo ...
said it identified "limited public use" of the unpatched IE vulnerability in drive-by attacks against users who strayed onto malicious Web sites. According to Websense, the attack code it spotted is the same as the exploit that went public last week. "Internet Explorer users currently face a real and present danger due to the public disclosure of the vulnerability and release of attack code, increasing the possibility of widespread attacks," said George Kurtz, chief technology officer of McAfee, in
blog update
Confirming this speculation, Websense Security Labs identified additional sites using the exploit on January 19. According to reports from Ahnlab, the second URL was spread through the Instant Messenger network Misslee Messenger, a popular IM client in South Korea. Researchers have created attack code that exploits the vulnerability in Internet Explorer 7 (IE7) and IE8—even when Microsoft's recommended defensive measure (
Data Execution Prevention In computer security, executable-space protection marks memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. It makes use of hardware features such as the NX bit (no-execute bit ...
(DEP)) is turned on. According to Dino Dai Zovi, a security vulnerability researcher, "even the newest IE8 isn't safe from attack if it's running on Windows XP Service Pack 2 (SP2) or earlier, or on Windows Vista RTM (release to manufacturing), the version Microsoft shipped in January 2007." Microsoft admitted that the security hole used had been known to them since September.Naraine, Ryan
Microsoft knew of IE zero-day flaw since last September
ZDNet, January 21, 2010. Retrieved 28 January 2010.
Work on an update was prioritized and on Thursday, January 21, 2010, Microsoft released a security patch aiming to counter this weakness, the published exploits based on it and a number of other privately reported vulnerabilities. They did not state if any of the latter had been used or published by exploiters or whether these had any particular relation to the Aurora operation, but the entire cumulative update was termed critical for most versions of Windows, including Windows 7. Security researchers continued to investigate the attacks.
HBGary HBGary is a subsidiary company of ManTech International, focused on technology security. In the past, two distinct but affiliated firms had carried the HBGary name: ''HBGary Federal'', which sold its products to the Federal government of the Un ...
, a security firm, released a report in which they claimed to have found some significant markers that might help identify the code developer. The firm also said that the code was Chinese language based but could not be specifically tied to any government entity. On February 19, 2010, a security expert investigating the cyber-attack on Google, has claimed that the people behind the attack were also responsible for the cyber-attacks made on several Fortune 100 companies in the past one and a half years. They have also tracked the attack back to its point of origin, which seems to be two Chinese schools,
Shanghai Jiao Tong University Shanghai Jiao Tong University (SJTU; ) is a public research university in Shanghai, China. The university is funded by the Ministry of Education of China. The university was established on April 8, 1896 as Nanyang Public School (南洋 ...
and
Lanxiang Vocational School The Shandong Lanxiang Vocational School (), colloquially Lanxiang (), is a vocational school in the Tianqiao District of Jinan, Shandong, China. The school was founded in 1984 and is said to have been established with support from the People ...
. As highlighted by ''The New York Times'', both of these schools have ties with the Chinese search engine
Baidu Baidu, Inc. ( ; , meaning "hundred times") is a Chinese multinational technology company specializing in Internet-related services and products and artificial intelligence (AI), headquartered in Beijing's Haidian District. It is one of the la ...
, a rival of
Google China Google China is a subsidiary of Google. A popular search engine, most services offered by Google China were blocked by the Great Firewall in the People's Republic of China. In 2010, searching via all Google search sites, including Google Mobil ...
. Both Lanxiang Vocational and Jiaotong University have denied the allegation. In March 2010, Symantec, which was helping investigate the attack for Google, identified
Shaoxing Shaoxing (; ) is a prefecture-level city on the southern shore of Hangzhou Bay in northeastern Zhejiang province, China. It was formerly known as Kuaiji and Shanyin and abbreviated in Chinese as (''Yuè'') from the area's former inhabitants. ...
as the source of 21.3% of all (12 billion) malicious emails sent throughout the world.


Google Releases A Look Back

On October 3, 2022, Google on YouTube released a six-episode series covering the events that occurred during Operation Aurora, with commentary from insiders who dealt with the attack, though the series primary focus was to reassure the Google-using public that measures are in place to counter hacking attempts.


See also

*
Chinese intelligence activity in other countries The Government of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA); ( ...
*
Chinese Intelligence Operations in the United States The United States has often accused the government of the People's Republic of China of attempting to unlawfully acquire U.S. military technology and classified information as well as trade secrets of U.S. companiesFinkle, J. Menn, J., Viswanat ...
* Cyber-warfare * Economic and Industrial Espionage * GhostNet *
Honker Union Honker () or red hacker is a group known for hacktivism, mainly present in China. Literally the name means "Red Guest", as compared to the usual Chinese transliteration of hacker (黑客, hēikè, literally ''Black Guest'' as in black hat). ...
*
Titan Rain Titan Rain was a series of coordinated attacks on computer systems in the United States since 2003; they were known to have been ongoing for at least three years. The attacks originated in Guangdong, China. The activity is believed to be associat ...
*
Vulcanbot Vulcanbot is the name of a Trojan (malware), Trojan botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have started spreading in late 2009. The botnet began to spread after the website of the Vietnamese Pro ...
*
MUSCULAR (surveillance program) Skeletal muscles (commonly referred to as muscles) are organs of the vertebrate muscular system and typically are attached by tendons to bones of a skeleton. The muscle cells of skeletal muscles are much longer than in the other types of muscl ...


References


External links


Google China insiders may have helped with attack
news.cnet.com
Operation Aurora – Beginning Of The Age of Ultra-Sophisticated Hack Attacks!
Sporkings.com January 18, 2010
In Google We Trust Why the company's standoff with China might change the future of the Internet.
Rafal Rohozinski interviewed by Jessica Ramirez of Newsweek on 2010.1.29
Recent Cyber Attacks – More than what meets the eye?
Sporkings.com February 19, 2010
‘Google’ Hackers Had Ability to Alter Source Code
Wired.com March 3, 2010
'Aurora' code circulated for years on English sites Where's the China connection?
* Gross, Michael Joseph,
Enter the Cyber-dragon
, '' Vanity Fair'', September 2011. * Bodmer, S., Kilger, M., Carpenter, G., & Jones, J. (2012). '' Reverse Deception: Organized Cyber Threat Counter-Exploitation''. New York: McGraw-Hill Osborne Media. ,
The Operation Aurora Internet Explorer exploit – live!McAfee Operation Aurora OverviewOperation Aurora Explained by CNET
{{Hacking in the 2000s
Aurora An aurora (plural: auroras or aurorae), also commonly known as the polar lights, is a natural light display in Earth's sky, predominantly seen in high-latitude regions (around the Arctic and Antarctic). Auroras display dynamic patterns of bri ...
Cyberwarfare by China Cyberwarfare in the United States 2009 controversies 2009 crimes 2009 in technology McAfee China–United States relations Chinese advanced persistent threat groups Google