Operation Aurora

The Hack

In 2009, around Christmas time, something terrible was lurking in the network at Google. Google is the most popular website on the Internet. It’s so popular many people just think Google is the Internet. Google hires many of the most talented minds and has been online since the 90s. Hacking into Google is no easy task. There’s a team of security engineers who test and check all the configurations on the site before they go live. And Google has teams of security analysts and technicians watching the network 24/7 for attacks, intrusions, and suspicious activity. Security plays a very vital role at Google, and everything has to have the best protections. But this attack slipped past all that. Hackers had found their way into the network. They compromised numerous systems, burrowed their way into Google’s servers, and were trying to get to data they shouldn’t be allowed to have. Google detected this activity. And realized pretty quickly they were dealing with an attack more sophisticated than anything they’ve ever seen.

Once Google detected the attack, they were able to stop it pretty quickly and clean it off the network. On January 12 2010 Google made a blog post telling everyone about the attack. They said this attack was more sophisticated than any other attack they’ve seen. The virus that was used was not detected by any antivirus software, so McAfee, an antivirus company, got a copy of the malware and began studying it.

Hours after the blog post from google, another blog post showed up. This one form Adobe, the makers of Photoshop and pdf readers. Adobe admitted that they too got hacked over the winter holidays. And after that, it was clear that even more companies were hit by this attack at the same time. Morgan Stanley, Yahoo, Rackspace, Microsoft, Juniper networks, and DOW chemical to name a few. Google had detected that over 20 companies were victim to this same attack. And some reports said as high as 200 companies were attacked.

Something big was going on. The victims companies, security companies, and law enforcement all began a full investigation.

Analysis of attacks/fixes After looking through logs and analyzing the malware, researchers learned exactly how the attack took place. When McAfee did their reverse engineering on this malware they found that when the hacker had executed the attack, they ran it out of a folder called Aurora. Because the attacker had their malware that folder, McAfee called this attack “Operation Aurora”.

Here is how the hackers got in.

First they would pick their target, an employee of the company they want to attack. Even better if they could find a developer or someone with extra access to the network.

Then they would research that person, figure out what their email address is, who they talk to, and what some of those emails look like between the two.

Then the would send a phishing email to the target. This isn’t some stupid looking email from the prince of Nigeria telling you about a large inheritance. This one is much much more clever. Because the hackers have done research on the target they know exactly what some emails look like from people who already send them emails. So they spoof an email to look like it came from that co-worker, and it looked like an important email from them with a link to click.

These emails are so well crafted that it would be very hard for even a seasoned security expert to detect. So the victim clicks the link, which takes them to a website that has malware on it. No big deal though, the victim has patched their Internet Explorer browser so the malware shouldn’t have any effectiveness. But here is where things start to get more serious. The malware was not known to Microsoft, so it was still able to exploit a fully patched Internet Explorer. It was using what is known as a zero day exploit. It’s called a zero day because that’s the number of days that Microsoft has been aware of this exploit. Since Microsoft wasn’t aware of it, the exploit worked. When the victim visited the malicious website, it executed some commands on the victim’s computer.

The commands sent to the victim’s computer were to download a program and run it. And here is where things get even more sophisticated. The program that was downloaded and ran was a trojan. And it was also a brand new freshly made trojan. So it bypassed any antivirus software and was able to infect a fully patched version of windows. This trojan was very sophisticated too. The encryption was strong and it was stealthy. The trojan opened up a tunnel back to the hackers so they can now control the victim’s computer. And it was designed to look like regular web traffic. And all this would happen within seconds of someone clicking the link.

What makes this attack so sophisticated? Google gets attacked all day every day. But most are people trying to use well known exploits. Something you can learn by watching a youtube video or reading a blog post. This attack used multiple exploits that weren’t known, and that’s rare to see attacks that use zero day exploits. So the attackers either had a lot of money to buy these zero day exploits, or have a research and development team to help them make them. The other scary part of this is how much research the attackers did on their victims before sending the emails in hopes they would click on it. And it appears the attackers specifically picked Christmas and New Years holidays to attack knowing there would be a skeleton crew defending the network at that time.

These advanced methods, and techniques the attackers used isn’t new. Governments see very sophisticated attacks like this fairly often. Banking industries and utility companies do too. But commercial businesses have never seen an attack this advanced waged against them. This would forever change the threat landscape for commercial companies.

What Did the Hackers Get?

Google looked further into the logs and tried to trace where this attacker went, and what their were trying to do. They saw the attackers were trying to access two specific pieces of data.

First was access to GMail accounts. It’s presumed the attackers wanted to read someone’s emails. But not just anyone’s email, specifically human rights activists emails. But not just any human rights activists emails, they were after Chinese human rights activists GMail accounts. Whoever had done this attack really wanted to see what these people were planning and organizing around the China human rights movement. But when Google looked more closely at these accounts they noticed another connection. All of the accounts that were attempted to be access all had court orders. United states law enforcement had requested access to these specific GMail accounts, and the attackers were also looking at those exact same accounts. This is really odd, and has baffled a lot of people as to why someone would be trying to get into GMail accounts of Chinese human rights activists that have already been subject to court orders. Perhaps this was some government espionage, or a way to check how much the government can see into GMail accounts. Google was able to stop the attackers from seeing any emails. The attackers were only able to tell when the accounts was created.

The second piece of data the attackers were after in Google was their source code. Google is a company that makes software. Usually they don’t want anyone to see the source code to it because that’s intellectual property. If someone had the source code they could create a competing site, or find bugs in the source code to exploit later. So the source code needs to be kept in a secure location. Source code is often kept using git, but for larger and more secure companies, it’s stored in what’s called software configuration management systems. Some of these are Perforce, Concurrent Versions Systems, Microsoft VIsual Source Safe, and IBM rational. At Google, their source code was kept in Perforce, but as they researched this attack, they found numerous problems with Perforce. The attacker knew exactly where the Perforce servers were, and used yet another unknown bug to get into Perforce. But that may have mattered. After this attack McAfee looked into Perforce and found it to be insecure by default. McAfee found the following problems in Perforce. Anyone can go and create their own user account. No need for an admin to set one up for you. Passwords are unencrypted. It’s easy to gather data in Perforce without any privileges. All communication to Perforce is unencrypted. It’s easy to bypass authentication altogether. Its prone to directory traversal attacks. And all files are stored in clear text too.

It’s unknown how Perforce was set up within Google, but it’s clear that it takes a lot of work to lock it down and secure it, and even then it’s not very secure. The attackers had a strong knowledge of Perforce specifically and once they were in the Google network, they were able to easily access Perforce and take some source code from Google. Possibly the source code to the Chrome browser.

The other companies that were also compromised by this attack did not give details as to what was taken or accessed, but it’s speculated that the source code was the target for them too. Sophisticated attacks like this often work in stages. So it’s possible the attackers were just gathering information in this attack to be used in a bigger attack later. For instance if they had the source code for how Adobe handles PDFs, they could find new ways to create malicious PDFs they can use to send to a totally different company to gain access to that.

Upon discovering these vulnerabilities, Microsoft issued emergency patches for their browser and operating system. And McAfee antivirus created new signatures to detect these attacks as well.

It’s interesting that so many companies were attacked with the same exploit all at once. Once the aurora exploit was known, companies could patch and detect it. So it appears this hacker group was attacking as many places as it could and sort of letting this exploit become known in the process. But it also indicates that an attack at this scale would require dozens of people to conduct it. A team to develop the exploit, a team to do research on the attack, and a team to conduct the attack and remotely access the source code repositories of various companies.

Further analysis of this attack and trojan revealed more information. The backdoor tunnel that was created was connecting to two IPs in Taiwan. And the attacks were also see coming from two different schools in China. Shanghai Jiaotong University and the Lanxiang Vocational School. Both of these schools are legitimate, well established, and respectable. If you go there, you see students walking around campus and it looks like an average school. The school might not have anything to do with this, as the hackers could have simply used the school to do their attacks to screen where they were actually from.

History of Google, China, and US Government

Because this was a major incident hitting dozens of US companies, the FBI and US government began investigating the attacks.

It’s really difficult to figure out who conducted a cyber attack because of how anonymous and hidden you can be on the internet. A few pieces of information began to add up though. The attackers wanted into the email accounts of Chinese human rights activists, the attacks originated from 2 schools in china, and the malware had used a checksum algorithm that is only used in china. Rumors started to circulate that China was likely behind this attack.

As the US government investigated, Secretary of State, Hilary Clinton addressed the media.

Some news outlets were even taking this a step further.

News media: “It’s basically an act of war, especially if it’s tied to a government, it’s an act of war.””

The Chinese foreign ministry spokesperson said publicly: Blaming China is unacceptable. The Chinese gov places great importance on computer and internet security, and controls the internet according to law, and demands that internet users respect relevant laws and regulations when using the internet.

As Google investigated this more, they became more certain that China was behind this. An attack with this level of sophistication hitting this many companies at once had to be done by a group that’s very advanced. They must have had dozens of people working on this attack, were well funded, and were given extra privileges on China’s internet infrastructure. This isn’t the work of some amateurs, or even Google competitors. This was far more advanced, with far more capabilities.

China has very strict internet censorship laws. They block their citizens from visiting sites like Twitter, Facebook, Pinterest, most porn site, YouTube, and yes even Google. Google wanted to have a presence in China since it’s the country with the largest population in the world. So in 2006, Google wanted to work with China to set up a Google.cn website within China, a version of Google that wouldn’t be blocked. China’s government said they would allow it only if Google would censor certain things, so Google agreed. If you go on to Google.cn and search for something like Tienanmen square protest, you get no results. China is very strict at censoring certain information from getting to their citizens. Another thing china censors online is Winnie the Pooh. Apparently some people make fun of the president of China by saying he looks like Winnie the Pooh. This upset the president, So that search term is now banned within China.

The Google executives in the US weren’t happy with this censoring but did it anyways so they could have a presence in China. But when these attacks in 2010 took place, Google became fed up with China and decided to shut down Google.cn all together. They redirected all the site traffic to google.com.hk which is a version of Google for Hong Kong. Hong Kong maintains a separate political system apart from China. And this version of Google did not sensor the stuff China wanted censored. So now when someone within China wanted to search for Tienanmen square protests or Winnie the Pooh, they will see results.

A few months after that, China blocked it’s people from being able to get to all Google sites including google.com.hk. According to the website greatfire.org, china has been blocking Google ever since. The major search engine that is used in China is called Baidu. Which if you search for Tienanmen square protests there you see stories about how the protests are a myth and didn’t happen.

Ever since Operation Aurora, Google and many other have had to step up their defenses knowing that more sophisticated attacks can hit even commercial companies. This attack changed how we see our adversaries when defending these networks.

Could This Be Linked to a Bigger Hacker Group?

Security researchers at Symantec, Dell Secureworks, and Crowdstrike dove further into operation Aurora to try to understand the group behind the attacks. When Symantec investigated the malware further, they found the code frequently used a variable with the name Elderwood. So they called this hacking group, Elderwood. Crowdstrike came up with a different name which was Sneaky Panda, and Dell called them the Beijing Group. I like Elderwood the most, so let’s just stick with that one.

Security researchers created a big list of everything that’s known about Operation Aurora and started building a dossier on the Elderwood group. For years after this attack, researchers would examine other big hacks and breaches to try to find if there’s any connection with the Elderwood hacking group. Some connections were made. Either the same trojan was used, or same command and control servers were used, or comments in the code were similar. In the 3 years after Operation Aurora, the Elderwood group was suspected to be behind 7 attack campaigns, and each campaign resulted in numerous companies being hacked.

The next attack they conducted used a zero day exploit in Adobe Flash. This is really interesting because during Operation Aurora they hacked into Adobe. So we can speculate that they probably did take the source code for Flash from Adobe and used it to build new exploits. Because if you have the source code, it’s much easier to find a vulnerability. In fact they had 5 unique zero day exploits for Adobe Flash and were able to breach many other companies with these attacks. This group had immense capabilities. They seemed to be growing more powerful over time, stealing more source code from places like Google, Adobe, Oracle and Microsoft, and building more zero day exploits with them. It seemed like the Elderwood hacking group had an endless amount of zero day exploits they can use.

Hacking using zero day exploits is not actually that common. In 2011 there were only 8 reported breaches that used a zero day exploit in the attack. But 4 of those were attacks from the Elderwood group. So you can see how this group was dominating the hacking scene.

What else is strange about the Elderwood group is that they have this uncanny ability to know when one of their zero-day exploits was discovered or fixed. When they get wind that it’s going to be patched they burn their zero day and use it to hack multiple places at once to try to get the most out of it one last time. They may have access to the internal bug tracking tools within Google Microsoft and Adobe, or they may have someone inside tipping them off.

After Operation Aurora, the Elderwood group changed their initial entry tactics. Instead of getting people to click on a phishing email, they used what’s known as a watering hole attack. They would hack into a popular website, put malware on it, then wait for users to visit the site and become infected. As soon as the victim’s computer is infected, the hacking group would then have access to the victim’s computer.

They also changed their targets. While attacking Microsoft, Google, and Adobe will help them find new exploits, that doesn’t look like their primary objective. They seem to be most interested in gaining access to defense companies. Companies such as Lockheed Martin, Raytheon, Boeing, and General Dynamics to name a few. These companies supply tanks, weapons, and planes to the US military. They presumably want access to these companies to gain information on the latest weapons and military technology. And maybe also to get a glimpse into what the US military has in stock. This would certainly be valuable information for a superpower like China.

But the Elderwood group doesn’t attack these companies directly, instead they are almost always seen hacking into suppliers and 3rd party companies that deal directly with the top tier defense companies. And they are also seen hacking into the suppliers of the suppliers. Because if they can infect the supply chain, and that software gets used by a defense company, it is just as good as hacking into the defense company. And it’s easier and sneakier.

So Elderwood would possibly study all the parts that are used in a specific weapon, tank, or plane. Then figure out which companies supply those parts or software. Then figure out what websites those companies visit to do their work. One website they infected was the Center for Defense Information in Washington DC. This is a non-profit organization that posts information on military matters. People who visit the site are likely to be military or those working in the defense industry. Even if it’s a 3rd party to a contractor, infecting them can be very valuable. From there you can implant malware into software that will go to another company and you can infect that company next.

Details aren’t given as to what companies were specifically hit by Elderwood. Symantec doesn’t release that information and those companies that are breached aren’t always required to publicly disclose it. So all we can tell from Symantec is the way the attacks happened and what types of companies were targeted.

The second biggest target for the Elderwood group are human rights organizations. It’s suspected that this same group that did Operation Aurora in 2010 also were responsible for placing a zero day flash malware on the website for Amnesty International Hong Kong. So users who visit the site would become infected, and this group could then access their computers and see anything they wanted to on that person’s computer. Other sites that had zero day malware on it were the International Institute for Counter Terrorism, and the Cambodian Institute of Foreign Affairs. Users who visited those websites in May of 2012 had a high likelihood of being infected and having their systems controlled by the Elderwood group.

Some researchers believe that there must be hundreds if not thousands of people working for this group. There would be a team of developers to comb through the stolen source code to develop exploits. Then there’s a team to gather information on the targets and do open source intelligence gathering. Then there’s a team that put together the attacks and plan ways to get into places. Then there’s a team to conduct the attacks and sit there waiting for infected machine to show up. Then there are people talented at knowing certain software to be able to grab the data they need and navigate around. Then there’s a team of analysts to make sense of the data once it’s stolen. There also must be numerous interpreters, spies, website developers, instructors, labs, and commanders. The elderwood group is well funded, highly trained, and very advanced. A group like this doesn’t just show up over night. I suspect they have probably been working for years if not decades before being discovered like this. But still we can only guess as to who they are based on the footprints they leave.

Research papers have been published outlining the tactics, techniques, and procedures the elderwood group uses. And since then it appears they have changed their tactics to avoid being connected. Some researchers also believe they have broken up into smaller groups specifially designed for certain attacks, such as spying on people or hacking into certain sectors. The hacking activity we continue to see from China today remains to be one of the most advanced and persistent in the world.

In 2015, US president Barak Obama and Chinese President Xi Jinping met to discuss cyber attack diplomacy. And an agreement was made between the two.

This agreement was likely a direct result from the project Aurora attacks. And again in 2017 US president Donald Trump and Chinese President Xi Jinping met at mar-a-lago and renewed the same truce that neither country would attack commercial sectors to steal intellectual property for commercial gain.

Personally I don’t think this truce has much value as both countries continue to do what they can to gather details from each other. And hacking into commercial companies to steal source code to develop new vulnerabilities is simply a part of that process. For instance China had been linked to a virus found in ccleaner, a popular windows cleanup tool. Which that attack got them access to data at Microsoft and Google. China denied it’s involvement but even if it did admit to it, they could say the data stolen wasn’t used for commercial gain. So the agreement between the two is weak and unenforceable.

Now that we know the Elderwood hacking group is capable of targeting the commercial sector now, companies should take this as a cautionary tale, especially companies that supply to defense contractors. If this attacking group knows that defense company uses your product, they might try hacking you to get into the defense company, because it’s easier and sneakier. So by taking on a defense company as a client significantly increases your threat landscape.

This is the modern day arms race. Foreign countries will continuously be trying to hack into our government and defense companies to gather as much intelligence as they can. At the same time our government is also trying to gather information about foreign governments by hacking them as well. This makes it difficult to understand government. The NSA won’t report bugs to the vendor to help us all become more secure. Instead, if the NSA finds an unknown bug, they’ll keep it to be used it in potential cyber attacks. Because they need to be one step ahead of the enemy. So we are seeing the US and foreign governments are keeping zero-day exploits just for themselves. Governments hacking into other governments or companies in other countries is now becoming the new normal. Spyware vs spyware. Ghosts in the wires. Cyber patriots. This is the current battlefront that is secret, and hidden from all of us, until something goes wrong, or gets sloppy, or until someone wants us to see something.

Podcast Recommendation

Want another great podcast to listen to? Try Twenty Thousand Hertz. Start with the episode Ultrasonic Tracking.

Twenty Thousand Hertz


To read more about how Google operates and how they handled this situation internally, read the book In the Plex by Steven Levy.

Music Attribution

Theme music for this show was created by Breakmaster Cylinder.

Additional music by Epidemic Sound.

“Monkeys Spinning Monkeys” by Kevin MacLeod Licensed under Creative Commons: By Attribution 3.0 License.