Operation Aurora
Operation Aurora | |||||||
---|---|---|---|---|---|---|---|
| |||||||
Belligerents | |||||||
United States | China | ||||||
Casualties and losses | |||||||
Google intellectual property stolen[1] |
Operation Aurora was a series of
The attack was directed at dozens of other organizations, of which
As a result of the attack, Google stated in its weblog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all," and acknowledged that if this is not possible, it may quit China and close its Chinese offices.[1] Official Chinese sources claimed this was part of a strategy developed by the U.S. government.[10]
The attack was named "Operation Aurora" by Dmitri Alperovitch, Vice President of Threat Research at cybersecurity company McAfee. Research by McAfee Labs discovered that "Aurora" was part of the file path on the attacker's machine that was included in two of the malware binaries McAfee said were associated with the attack. "We believe the name was the internal name the attacker(s) gave to this operation", McAfee Chief Technology Officer George Kurtz said in a weblog post.[11]
According to McAfee, the primary goal of the attack was to gain access to and potentially modify source code repositories at these high-techbology, security, and defense contractor companies. "[The source code repositories] were wide open," says Alperovitch. "No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways—much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting."[12]
History
On January 12, 2010, Google revealed on its weblog that it had been the victim of a cyber attack. The company said the attack occurred in mid-December and originated from China. Google stated that more than 20 other companies had been attacked; other sources have since cited that more than 34 organizations were targeted.[9] As a result of the attack, Google said it was reviewing its business in China.[1] On the same day, United States Secretary of State Hillary Clinton issued a brief statement condemning the attacks and requesting a response from China.[13]
On January 13, 2010, the news agency All Headline News reported that the United States Congress plans to investigate Google's allegations that the Chinese government used the company's service to spy on human rights activists.[14]
In Beijing, visitors left flowers outside of Google's office. However, these were later removed, with a Chinese security guard stating that this was an "illegal flower tribute".[15] The Chinese government has yet to issue a formal response, although an anonymous official stated that China was seeking more information on Google's intentions.[16]
Attackers involved
Technical evidence including IP addresses, domain names, malware signatures, and other factors, show Elderwood was behind the Operation Aurora attack. The "Elderwood" group was named by
The "APT" designation for the Chinese threat actors responsible for attacking Google is APT17.[19]
Elderwood specializes in attacking and infiltrating second-tier defense industry suppliers that make electronic or mechanical components for major defense companies. Those companies then become a cyber "stepping stone" to gain access to the major defense contractors. One attack procedure used by Elderwood is to infect legitimate websites frequented by employees of the target company – a so-called "water hole" attack, just as lions stake out a watering hole for their prey. Elderwood infects these less-secure sites with malware that downloads to a computer that accesses the site. After that, the group searches inside the network to which the infected computer is connected, finding and then downloading executives' e-mails and critical documents on company plans, decisions, acquisitions, and product designs.[2]
Attack analysis
In its weblog posting, Google stated that some of its
Security experts immediately noted the sophistication of the attack.
According to
Once a victim's system was compromised, a backdoor connection that masqueraded as an
The attacks were thought to have definitively ended on Jan 4 when the command and control servers were deactivated, although it is not known at this time whether or not the attackers deactivated them intentionally.[29] However, the attacks were still occurring as of February 2010.[3]
Response and aftermath
The German, Australian, and French governments publicly issued warnings to users of Internet Explorer after the attack, advising them to use alternative browsers at least until a fix for the security breach was made.[30][31][32] The German, Australian, and French governments considered all versions of Internet Explorer vulnerable or potentially vulnerable.[33][34]
In an advisory on January 14, 2010, Microsoft said that attackers targeting Google and other U.S. companies used software that exploits a flaw in Internet Explorer. The vulnerability affects Internet Explorer versions 6, 7, and 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4.[35]
The Internet Explorer exploit code used in the attack has been released into the public domain, and has been incorporated into the
Security company
Researchers have created attack code that exploits the vulnerability in Internet Explorer 7 (IE7) and IE8—even when Microsoft's recommended defensive measure (
Microsoft admitted that the security flaw used had been known to them since September.[22] Work on an update was prioritized[41] and on Thursday, January 21, 2010, Microsoft released a security patch intended to counter this weakness, the published exploits based on it and a number of other privately reported vulnerabilities.[42] They did not state if any of the latter had been used or published by exploiters or whether these had any particular relation to the Aurora operation, but the entire cumulative update was termed critical for most versions of Windows, including Windows 7.
Security researchers continued to investigate the attacks. HBGary, a security company, released a report in which they claimed to have found some significant markers that might help identify the code developer. The company also said that the code was Chinese language based but could not be associated specifically with any government entity.[43]
On February 19, 2010, a security expert investigating the cyber-attack on Google, has claimed that the people who performed the attack were also responsible for the cyber-attacks made on several Fortune 100 companies in the past one and a half years. They have also tracked the attack back to its origin, which seems to be two Chinese schools,
In March 2010,
Google retrospective
On October 3, 2022, Google on YouTube released a six-episode series[49] concerning the events that occurred during Operation Aurora, with commentary from insiders who dealt with the attack, though the series' primary emphasis was to reassure the Google-using public that measures are in place to counter hacking attempts.
See also
- Chinese intelligence activity in other countries
- Chinese Intelligence Operations in the United States
- Cyber-warfare
- Economic and Industrial Espionage
- GhostNet
- Honker Union
- Titan Rain
- Vulcanbot
- MUSCULAR (surveillance program)
References
- ^ a b c d e "A new approach to China". Google Inc. 2010-01-12. Retrieved 17 January 2010.
- ^ Christian Science Monitor. Retrieved 24 February 2013.
- ^ a b "'Aurora' Attacks Still Under Way, Investigators Closing In On Malware Creators". Dark Reading. DarkReading.com. 2010-02-10. Archived from the original on 2010-08-11. Retrieved 2010-02-13.
- ^ "Adobe Investigates Corporate Network Security Issue". 2010-01-12. Archived from the original on 2010-01-14.
- ^ "9 Years After: From Operation Aurora to Zero Trust". Dark Reading. DarkReading.com. 2019-02-20. Retrieved 2020-05-09.
- ^ "Juniper Networks investigating cyber-attacks". MarketWatch. 2010-01-15. Retrieved 17 January 2010.
- ^ "Rackspace Response to Cyber Attacks". Archived from the original on 18 January 2010. Retrieved 17 January 2010.
- ^ "HBGary email leak claims Morgan Stanley was hacked". Archived from the original on March 3, 2011. Retrieved 2 Mar 2010.
{{cite web}}
: CS1 maint: unfit URL (link) - ^ a b Cha, Ariana Eunjung; Ellen Nakashima (2010-01-14). "Google China cyberattack part of vast espionage campaign, experts say". The Washington Post. Retrieved 17 January 2010.
- ^ Hille, Kathrine (2010-01-20). "Chinese media hit at 'White House's Google'". Financial Times. Retrieved 20 January 2010.
- ^ a b Kurtz, George (2010-01-14). "Operation "Aurora" Hit Google, Others". McAfee, Inc. Archived from the original on 11 September 2012. Retrieved 17 January 2010.
- ^ Zetter, Kim (2010-03-03). "'Google' Hackers Had Ability to Alter Source Code". Wired. Retrieved 4 March 2010.
- ^ Clinton, Hillary (2010-01-12). "Statement on Google Operations in China". US Department of State. Archived from the original on 2010-01-16. Retrieved 17 January 2010.
- ^ "Congress to Investigate Google Charges Of Chinese Internet Spying". All Headline News. 13 January 2010. Archived from the original on 28 March 2010. Retrieved 13 January 2010.
- ^ Osnos, Evan (14 January 2010). "China and Google: "Illegal Flower Tribute"". The New Yorker. Retrieved 10 November 2020.
- ^ "Chinese govt seeks information on Google intentions". China Daily. Xinhua. 2010-01-13. Retrieved 18 January 2010.
- ^ Nakashima, Ellen. "Chinese hackers who breached Google gained access to sensitive data, U.S. officials say". WashingtonPost. Retrieved 5 December 2015.
- ^ Riley, Michael; Dune Lawrence (26 July 2012). "Hackers Linked to China's Army Seen From EU to D.C." Bloomberg. Retrieved 24 February 2013.
- ZDNet.
- ^ Anderlini, Jamil (January 15, 2010). "The Chinese dissident's 'unknown visitors'". Financial Times.
- ^ "Microsoft Security Advisory (979352)". Microsoft. 2010-01-21. Retrieved 26 January 2010.
- ^ a b Naraine, Ryan. Microsoft knew of IE zero-day flaw since last September, ZDNet, January 21, 2010. Retrieved 28 January 2010.
- ^ "Protecting Your Critical Assets, Lessons Learned from "Operation Aurora", By McAfee Labs and McAfee Foundstone Professional Services" (PDF). wired.com.
- ^ Zetter, Kim. "'Google' Hackers Had Ability to Alter Source Code". Wired. Retrieved 27 July 2016.
- ^ Paul, Ryan (2010-01-14). "Researchers identify command servers behind Google attack". Ars Technica. Retrieved 17 January 2010.
- ^ Shane, Scott; Lehren, Andrew W. (28 November 2010). "Cables Obtained by WikiLeaks Shine Light Into Secret Diplomatic Channels". The New York Times. Retrieved 28 November 2010.
- ^ Scott Shane and Andrew W. Lehren (November 28, 2010). "Leaked Cables Offer Raw Look at U.S. Diplomacy". The New York Times. Retrieved 2010-12-26.
The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, ...
- ^ US embassy cables leak sparks global diplomatic crisis The Guardian 28 November 2010
- ^ Zetter, Kim (2010-01-14). "Google Hack Attack Was Ultra Sophisticated, New Details Show". Wired. Retrieved 23 January 2010.
- ^ One News (19 January 2010). "France, Germany warn Internet Explorer users". TVNZ. Retrieved 22 January 2010.
- ^ Relax News (18 January 2010). "Why you should change your internet browser and how to choose the best one for you". The Independent. London. Archived from the original on January 21, 2010. Retrieved 22 January 2010.
- ^ "Govt issues IE security warning". ABC (Australia). 19 January 2010. Retrieved 27 July 2016.
- ^ NZ Herald Staff (19 January 2010). "France, Germany warn against Internet Explorer". The New Zealand Herald. Retrieved 22 January 2010.
- ^ Govan, Fiona (18 January 2010). "Germany warns against using Microsoft Internet Explorer". The Daily Telegraph. London. Retrieved 22 January 2010.
- ^ Mills, Elinor (14 January 2010). "New IE hole exploited in attacks on U.S. firms". CNET. Archived from the original on 24 December 2013. Retrieved 22 January 2010.
- ^ "Internet Explorer zero-day code goes public". Infosecurity. 18 January 2010. Retrieved 22 January 2010.
- ^ "Security Labs – Security News and Views – Raytheon – Forcepoint". Retrieved 27 July 2016.
- ^ Keizer, Gregg (19 January 2010). "Hackers wield newest IE exploit in drive-by attacks". Retrieved 27 July 2016.
- ^ a b "Security Labs – Security News and Views – Raytheon – Forcepoint". Retrieved 27 July 2016.
- ^ Keizer, Gregg (19 January 2010). "Researchers up ante, create exploits for IE7, IE8". Computerworld. Retrieved 22 January 2010.
- ^ "Security – ZDNet". Retrieved 27 July 2016.
- ^ "Microsoft Security Bulletin MS10-002 – Critical". Microsoft. Retrieved 27 July 2016.
- ^ "Hunting Down the Aurora Creator". TheNewNewInternet. 13 February 2010. Retrieved 13 February 2010.(Dead link)
- ^ Markoff, John; Barboza, David (18 February 2010). "2 China Schools Said to Be Tied to Online Attacks". New York Times. Retrieved 26 March 2010.
- ^ "Google Aurora Attack Originated From Chinese Schools". itproportal. 19 February 2010. Retrieved 19 February 2010.
- ^ Areddy, James T. (4 June 2011). "Chefs Who Spy? Tracking Google's Hackers in China". Wall Street Journal – via www.wsj.com.
- ^ University, Jiao Tong. "Jiao Tong University - 【Shanghai Daily】Cyber expert slams "spy" report". en.sjtu.edu.cn. Archived from the original on 2019-11-29. Retrieved 2013-06-26.
- London Sunday Times, March 28, 2010.
- ^ "HACKING GOOGLE - YouTube". www.youtube.com. Retrieved 2022-10-03.
External links
- Google China insiders may have helped with attack news.cnet.com
- Operation Aurora – Beginning Of The Age of Ultra-Sophisticated Hack Attacks! Sporkings.com January 18, 2010
- In Google We Trust Why the company's standoff with China might change the future of the Internet. Rafal Rohozinski interviewed by Jessica Ramirez of Newsweek on 2010.1.29
- Recent Cyber Attacks – More than what meets the eye? Sporkings.com February 19, 2010
- ‘Google’ Hackers Had Ability to Alter Source Code Wired.com March 3, 2010
- 'Aurora' code circulated for years on English sites Where's the China connection?
- Gross, Michael Joseph, "Enter the Cyber-dragon", Vanity Fair, September 2011.
- Bodmer, S., Kilger, M., Carpenter, G., & Jones, J. (2012). ISBN 978-0-07-177249-5
- The Operation Aurora Internet Explorer exploit – live!
- McAfee Operation Aurora Overview
- Operation Aurora Explained by CNET