The Full Wiki

Operation Aurora: Wikis


Note: Many of our articles have direct quotes from sources you can cite, within the Wikipedia article! This article doesn't yet, but we're working on it! See more info or our list of citable articles.


From Wikipedia, the free encyclopedia

Operation Aurora is a cyber attack which began in mid-December 2009 and continued into February 2010.[1] The attack was first publicly disclosed by Google on January 12 in a blog post.[2] In the blog post, Google said the attack originated in China.

The attack has been aimed at dozens of other organizations, of which Adobe Systems,[3] Juniper Networks[4] and Rackspace[5] have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman and Dow Chemical[6] were also among the targets.

As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all", and acknowledged that if this is not possible it may leave China and close its Chinese offices.[2] Official Chinese media responded stating that the incident is part of a U.S. government conspiracy.[7]

The attack was named "Operation Aurora" by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee. Research by McAfee Labs discovered that “Aurora” was part of the file path on the attacker’s machine that was included in two of the malware binaries McAfee said were associated with the attack. "We believe the name was the internal name the attacker(s) gave to this operation," McAfee Chief Technology Officer George Kurtz said in a blog post.[8]

According to McAfee, the primary goal of the attack was to gain access to and potentially modify source code repositories at these high tech, security and defense contractor companies. “[The SCMs} were wide open,” says Dmitri Alperovitch, McAfee’s vice president for threat research. “No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting."[9]



On January 12, 2010, Google in an unusual move revealed on its blog that it had been the victim of a cyber attack. The company said the attack occurred in mid-December and originated from China. Google stated that over 20 other companies had been attacked, other sources have since cited that more than 34 organizations were targeted.[6] As a result of the attack, Google said it was reviewing its business in China.[2] On the same day, U.S. Secretary of State Hillary Clinton issued a brief statement condemning the attacks and requesting a response from China.[10]

On January 13, 2010, the news agency AHN reported that the U.S. Congress plans to investigate Google's allegations that the Chinese government used the company's service to spy on human rights activists.[11]

In Bejing, visitors left flowers outside of Google's office. However, these were later removed, with a Chinese security guard stating that this was an "illegal flower tribute".[12] The Chinese government has yet to issue a formal response, although an anonymous official stated that China is seeking more information on Google's intentions.[13]

Attack analysis

In its blog posting, Google stated that some of its intellectual property had been stolen. It suggested that the attackers were interested in accessing Gmail accounts of Chinese dissidents. According to the Financial Times, two accounts used by Ai Weiwei had been hacked, their contents read and copied; his bank accounts were investigated by state security agents who claimed he was under investigation for "unspecified suspected crimes".[14] However, the attackers were only able to view details on two accounts and those details were limited to things such as the subject line and the accounts' creation date.[2]

Security experts immediately noted the sophistication of the attack.[8] Two days after the attack became public, McAfee reported that the attackers had exploited zero-day vulnerabilities (unfixed and previously unknown to the public) in Internet Explorer and dubbed the attack "Operation Aurora". A week after the report by McAfee, Microsoft issued a fix for the issue,[15] and admitted that they had known about the security hole used since September.[16] VeriSign's iDefense Labs claimed that the attacks were perpetrated by "agents of the Chinese state or proxies thereof".[17]

Once a victim's system was compromised, a backdoor connection that masqueraded as an SSL connection made connections to command and control servers running in Illinois, Texas, and Taiwan, including machines that were running under stolen Rackspace customer accounts. The victim's machine then began exploring the protected corporate intranet that it was a part of, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories.

The attacks were thought to have definitively ended on Jan 4 when the command and control servers were taken down, although it is not known at this point whether or not the attackers intentionally shut them down.[18] However, the attacks were still occurring as of February 2010.[1]

Response and aftermath

Flowers left outside Google China's headquarters after its announcement it may leave the country.

The German, Australian, and French governments publicly issued warnings to users of Internet Explorer after the attack, advising them to use alternative browsers at least until a fix for the security hole was made.[19][20][21] The German, Australian, and French governments consider all versions of Internet Explorer vulnerable or potentially vulnerable.[22][23]

In an advisory on January 14, 2010, Microsoft said that attackers targeting Google and other U.S. companies used software that exploits a hole in Internet Explorer. The vulnerability affects Internet Explorer versions 6, 7, and 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4.[24]

The Internet Explorer exploit code used in the attack has been released into the public domain, and has been incorporated into the Metasploit penetration testing tool. A copy of the exploit was uploaded to Wepawet, a service for detecting and analyzing web-based malware operated by the computer security group at the University of California, Santa Barbara. "The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," said George Kurtz, CTO of McAfee, of the attack. "The now public computer code may help cyber criminals craft attacks that use the vulnerability to compromise Windows systems."[25]

Security company Websense said it identified "limited public use" of the unpatched IE vulnerability in drive-by attacks against users who strayed onto malicious Web sites.[26] According to Websense, the attack code it spotted is the same as the exploit that went public last week. "Internet Explorer users currently face a real and present danger due to the public disclosure of the vulnerability and release of attack code, increasing the possibility of widespread attacks," said George Kurtz, chief technology officer of McAfee, in a blog update Sunday.[27] Confirming this speculation, Websense Security Labs identified additional sites using the exploit on January 19.[28] According to reports from Ahnlab, the second URL was spread through the Instant Messenger network Misslee Messenger, a popular IM client in South Korea.[28]

Researchers have created attack code that exploits the vulnerability in Internet Explorer 7 (IE7) as well as in the newest IE8—even when Microsoft's recommended defensive measure (Data Execution Prevention (DEP)) is turned on. This piece of information proves that IE6 isn't the only version that is vulnerable and that upgrading to IE7 or IE8 could prove to be futile especially if one is running XP or only upgrading to IE7. According to Dino Dai Zovi, a security vulnerability researcher, "even the newest IE8 isn't safe from attack if it's running on Windows XP Service Pack 2 (SP2) or earlier, or on Windows Vista RTM (release to manufacturing), the version Microsoft shipped in January 2007."[29]

Microsoft admitted that the security hole used had been known to them since September.[16] Work on an update was prioritized[30] and on Thursday, January 21, 2010, Microsoft released a security patch aiming to counter this weakness, the published exploits based on it and a number of other privately reported vulnerabilities.[31] They did not state if any of the latter had been used or published by exploiters or whether these had any particular relation to the Aurora operation, but the entire cumulative update was termed critical for most versions of Windows, including Windows 7.

Security researchers have continued to investigate the attacks. HBGary, a security firm, recently released a report in which they claim to have found some significant markers that might help identify the code developer. The firm also said that the code was Chinese language based but could not be specifically tied to any government entity.[32]

On February 19th 2010, a security expert investigating the cyber-attack on Google, has claimed that the people behind the attack were also responsible for the cyber-attacks made on several Fortune 100 companies in the past one and a half years. They have also tracked the attack back to its point of origin, which seems to be two Chinese schools. As highlighted by The New York Times, both these schools have ties with the Chinese search engine Baidu, a rival of Google China.[33]

See also


  1. ^ a b "'Aurora' Attacks Still Under Way, Investigators Closing In On Malware Creators". Dark Reading (TechWeb). 2010-02-10. Retrieved 2010-02-13. 
  2. ^ a b c d "A new approach to China". Google Inc.. 2010-01-12. Retrieved 17 January 2010. 
  3. ^ "Adobe Investigates Corporate Network Security Issue". 2010-01-12. Retrieved 17 January 2010. 
  4. ^ "Juniper Networks investigating cyber-attacks". MarketWatch. 2010-01-15. Retrieved 17 January 2010. 
  5. ^ "Rackspace Response to Cyber Attacks". Retrieved 17 January 2010. 
  6. ^ a b Cha, Ariana Eunjung; Ellen Nakashima (2010-01-14). "Google China cyberattack part of vast espionage campaign, experts say". The Washington Post. Retrieved 17 January 2010. 
  7. ^ Hille, Kathrine (2010-01-20). "Chinese media hit at ‘White House’s Google’". Financial Times.,Authorised=false.html. Retrieved 20 January 2010. 
  8. ^ a b "Operation “Aurora” Hit Google, Others". McAfee, Inc.. 2010-01-14. Retrieved 17 January 2010. 
  9. ^ "‘Google’ Hackers Had Ability to Alter Source Code". Wired. 2010-03-03. Retrieved 4 March 2010. 
  10. ^ Clinton, Hillary (2010-01-12). "Statement on Google Operations in China". US Department of State. Retrieved 17 January 2010. 
  11. ^ "Congress to Investigate Google Charges Of Chinese Internet Spying". AHN. 13 January 2010. Retrieved 13 January 2010. 
  12. ^ Robertson, Matthew (2010-01-14). "Flowers Laid, and Removed, at Google Headquarters in China". The Epoch Times. Retrieved 18 January 2010. 
  13. ^ "Chinese govt seeks information on Google intentions". Xinhua (China Daily). 2010-01-13. Retrieved 18 January 2010. 
  14. ^ Anderlini, Jamil (January 15 2010). "The Chinese dissident’s ‘unknown visitors’". Financial Times. 
  15. ^ "Microsoft Security Advisory (979352)". Microsoft. 2010-01-21. Retrieved 26 January 2010. 
  16. ^ a b Naraine, Ryan. Microsoft knew of IE zero-day flaw since last September, ZDNet, January 21, 2010. Retrieved 28 January 2010.
  17. ^ Paul, Ryan (2010-01-14). "Researchers identify command servers behind Google attack". Ars Technica. Retrieved 17 January 2010. 
  18. ^ "Google Hack Attack Was Ultra Sophisticated, New Details Show". Wired. 2010-01-14. Retrieved 23 January 2010. 
  19. ^ One News (19 January 2010). "France, Germany warn Internet Explorer users". TVNZ. Retrieved 22 January 2010. 
  20. ^ Relax News (18 January 2010). "Why you should change your internet browser and how to choose the best one for you". The Independent. Retrieved 22 January 2010. 
  21. ^
  22. ^ NZ Herald Staff (19 January 2010). "France, Germany warn against Internet Explorer". The New Zealand Herald. Retrieved 22 January 2010. 
  23. ^ Govan, Fiona (18 January 2010). "Germany warns against using Microsoft Internet Explorer". The Daily Telegraph. Retrieved 22 January 2010. 
  24. ^ Mills, Elinor (14 January 2010). "New IE hole exploited in attacks on U.S. firms". CNET. Retrieved 22 January 2010. 
  25. ^ "Internet Explorer zero-day code goes public". Infosecurity. 18 January 2010. Retrieved 22 January 2010. 
  26. ^
  27. ^
  28. ^ a b
  29. ^ Keizer, Gregg (19 January 2010). "Researchers up ante, create exploits for IE7, IE8". Computerworld. Retrieved 22 January 2010. 
  30. ^
  31. ^
  32. ^ "Hunting Down the Aurora Creator". TheNewNewInternet. 13 February 2010. Retrieved 13 February 2010. 
  33. ^ "Google Aurora Attack Originated From Chinese Schools". itproportal. 19 February 2010. Retrieved 19 February 2010. 

External links

Internet video

Got something to say? Make a comment.
Your name
Your email address