Episode Show Notes



JACK: [MUSIC] In 2009 around Christmastime something terrible was lurking in the network at Google. Google is the most popular website on the internet. It’s so popular that many people just think Google is the internet. Google hires many of the most talented minds and has been online since the 90s. Hacking into Google is practically impossible. There is a team of security engineers who test and check all the configurations of the site before they go live and Google has teams of security analysts and technicians watching the network 24/7 for attacks, intrusions, and suspicious activity. Security plays a vital role at Google and everything has to have the best protections but this attack slipped past all that. Hackers had found a way into the network. They compromised numerous systems and burrowed their way deep into Google’s servers and were trying to get data that they shouldn’t be allowed to have. Google detected this activity and realized pretty quickly they were dealing with an attack more sophisticated than anything they’ve ever seen.

JACK (INTRO): [MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

JACK: Once Google detected the attack they were able to stop it pretty quickly and clean it off the network. On January 12th, 2010, Google made a blog post telling everyone about the attack. They said this attack was more sophisticated than any attack they’ve seen. The virus that was used was not detected by any antivirus software so McAfee, an antivirus company got a copy of the malware and began studying it. [MUSIC] Hours after the announcement from Google another company posted another announcement, this one from Adobe, the makers of Photoshop and PDF readers.

Adobe admitted that they too, got hacked over the winter holidays. After that it was clear that even more companies were hit by this attack at the same time; Yahoo, Rackspace, Microsoft, Juniper Networks, and Dow Chemicals to name a few. Google had detected that over twenty companies were victim to this attack. Some reports said as high as two hundred companies were attacked. Something big was going on. The victim’s companies, security companies, and law enforcement all began a full investigation. After looking through logs and analyzing the malware, researchers learned exactly how the attack took place. When McAfee reverse-engineered the malware they found that when the hacker executed the attack they ran it out of a folder called Aurora.

Because the attacker had their malware in that folder, McAfee called this attacked Operation Aurora. Here’s how the hackers got in; first they would pick their target, an employee of a company they want to attack, even better if they can find a developer or someone with extra access to the network. Then they would research that person, figure out what their e-mail address is, who they talk to, and what some of those e-mails look like between the two of them. Then they would send a phishing e-mail to the target. This isn’t some stupid looking e-mail from the Prince of Nigeria telling you you have a large inheritance. This one is much, much more clever. The hackers knew who that person would e-mail normally and what those e-mails would look like so the hacker spoofed an e-mail to make it look like it came from that co-worker and made it look like an important e-mail wanted them to click a link.

These e-mails were so well-crafted that it would be very hard for even a seasoned security expert to detect. The victims clicked the link which takes them to a website that has malware on it. No big deal though, because the victim has patched their internet explorer browser so [00:05:00] the malware shouldn’t have any effectiveness but here’s where things start to get more serious. The malware was not known by Microsoft so it was still able to exploit a fully-patched internet explorer. It was using what’s known as a zero-day exploit. It’s called a zero-day because that’s how many number of days that Microsoft has been aware of this exploit. Since Microsoft wasn’t aware of it, the exploit worked.

When the victim visited the malicious website it executed some commands on the victim’s computer. The commands that were sent to the victim’s computer downloaded a program and ran it. Here’s where things get even more sophisticated; the program that was downloaded and ran was a Trojan and it was a brand new, freshly-made Trojan so it bypassed any antivirus software and it was able to infect a fully-patched version of Windows. This Trojan was very sophisticated, too. The encryption was strong and it was stealthy. This Trojan opened up a tunnel back to the hackers so they could control the victim’s computer. It was designed to look like regular web traffic. All this would happen within seconds of someone clicking the link.

What makes this attack so sophisticated? Google gets attacked all day, every day but most of the people attacking Google are using well-known exploits, something you can learn by watching a YouTube video or reading a blog post. This attack was using multiple exploits that weren’t known to anyone and it’s rare to see attacks that use zero-day exploits. The hackers either had a lot of money to buy these zero-day exploits or they had a research and development team to help them make it. The other scary part is how much research the attackers did on their victims before sending them e-mails in the hopes they would click on it. It appears the attackers specifically picked Christmas and New Year’s holidays to attack, knowing that it would be a skeleton crew defending the network at that time.

These advanced methods and techniques the hackers used isn’t new. The government sees sophisticated attacks like this fairly often. Banking industries and utility companies do too, but commercial businesses have never seen an attack this advanced waged against them. This would forever change the threat landscape for commercial companies. Google looked further into the logs and tried to trace where the attacker went and what they were trying to do. They saw the attackers were trying to access two specific pieces of data; first was access to Gmail accounts. It’s presumed the attackers wanted to read someone’s e-mails but not just anyone’s e-mails, specifically human rights activists’ e-mails. But not just any human rights activists’ e-mails, they were after Chinese human rights activists’ Gmail accounts.

Whoever did this attack really wanted to see what those people were planning and organizing around China’s human rights movement. But when Google looked more closely at these accounts they noticed another connection. All of the accounts that were attempted to be accessed all had court orders. United States law enforcement had requested access to those specific Gmail accounts and these attackers were looking at those same exact accounts. This was really odd and has baffled a lot of people as to why someone would be trying to get into Gmail accounts of Chinese human rights activists that have already been subject to court orders. Perhaps this was some government espionage or a way to check how much the government can see into Gmail accounts. Google was able to stop the attackers from seeing any e-mails. The attackers were only able to tell when the account was created.

The second piece of data the attackers were after in Google was their source code. Google is a company that makes software and usually they don’t want anyone to see the source code to it because that’s intellectual property. If someone had the source code they could create a competing site or find bugs in the source code to exploit later. The source code needs to be kept in a secure location. Source code is often kept in something like Git but for large companies it’s stored in what’s called Software Configuration Management Systems. Companies that make this kind of software are Perforce, Concurrent Versions Systems, Microsoft Visual SourceSafe, and IBM Rational. At Google, their source code was kept in Perforce but as they researched this attack they found numerous problems with Perforce. The attackers knew exactly where the Perforce servers were and used yet another unknown bug to get into Perforce.

But that may not have mattered. After this attack McAfee looked into Perforce and found it to be insecure by default. McAfee found the following problems in Perforce; anyone can go and create their own user account, no need for an admin to set one up for you. The passwords are unencrypted. It’s easy to gather data on Perforce without any privileges. All communication to Perforce is unencrypted. It’s easy to bypass authentication altogether, it’s prone to directory traversal attacks, and all files are stored in clear text. It’s unknown how Perforce was set up in Google but it’s clear that it takes a lot of work to lock it down and secure it. Even then, it’s not very secure. These attackers had a strong knowledge of Perforce and once they were in Google’s network they were able to easily access Perforce and take some of the source code from Google, possibly the source code for the Chrome browser.

[00:10:00] The other companies that were also compromised by this attack did not give any details as to what was taken or accessed but it’s speculated that the source code was targeted for them, too. Sophisticated attacks like this often work in stages so it’s possible the attackers were just gathering information in this attack to be used for a bigger attack later. For instance, if they had the source code for how Adobe handles PDFs they could find new ways to create malicious PDFs so they can create new viruses to infect someone else. Upon discovering these vulnerabilities Microsoft issued an emergency patch for the browser and operation system. McAfee antivirus created new signatures to detect these attacks as well. It’s interesting that so many companies were attacked with the same exploit all at once.

Once the Aurora exploit was known, companies could patch and detect it so it appears this hacker group was attacking as many places as it could and sort of letting the exploit become known in the process. But it also indicates that an attack at this scale would require dozens of people to conduct it; a team to develop the exploit, a team to research the attack, and a team to conduct the attack and remotely access those source code repositories. Further analysis of this attack and Trojan revealed more information. The attacks were seen coming from two different schools in China; the Shanghai Jiao Tong University and Lanxiang Vocational School.

Both of these schools are legitimate, well-established, and respectable. If you go there you see students walking around campus and it looks like an average school. The school might not have anything to do with this as the attackers may have just used a server within the school to wage their attacks, but then again maybe there’s some hidden basement full of hackers and this school is just some kind of screen. Because this was a major incident hitting dozens of US companies, the FBI and the US government began investigating the attacks. It’s really difficult to figure out who conducted a cyber-attack because of how anonymous and hidden you are on the internet.

A few pieces of information began to add up, though. The attackers wanted into those e-mail accounts of Chinese human rights activists and the attack originated from two schools in China, and the malware that was used had a checksum algorithm that’s only used in China. Rumors started to circulate that China was likely behind this attack. As the US government investigated, then Secretary of State Hillary Clinton addressed the media.

CLINTON: We are obviously very concerned about Google’s announcement regarding a campaign that the company believes originated in China to collect the passwords of Google e-mail account holders. These allegations are very serious. We take them seriously. We’re looking into them.

JACK: Some news outlets were even taking this a step further.

REPORTER: ‘Cause it’s basically an act of war.


REPORTER: Especially if it is really tied to the army and the government; it’s an act of war.

JACK: Personally I think this is espionage, not an act of war. This is just theft of information. A spokesperson for the Chinese foreign ministry had a reply. [CHINESE] “Blaming China is unacceptable. The Chinese government places great importance on the computer and internet security and controls the internet according to law and demands that internet users respect relevant laws and regulations when using the internet.” As Google investigated this more, it became more certain that China was behind this. An attack with this level of sophistication hitting this many companies at once had to be done by a group that’s very advanced.

They must have had dozens of people working on this attack. They’re well-funded and they were given extra privileges on China’s internet infrastructure. This isn’t the work of some amateurs or even Google competitors. This was far more advanced with far more capabilities. To understand what happens next we need to go back five years to 2005. In 2005 Google started building google.cn which was going to be a version of Google for people in China. See, the people in China can’t get to many of the sites we can. The Chinese government blocks anyone in China from getting to sites like Twitter, Facebook, Pinterest, most porn sites, YouTube, and yes, google.com. [MUSIC] But since China is the country with the largest population in the world, Google wanted to build a local version in China that would be allowed.

The Chinese government [00:15:00] required Google to have a license to operate in China, and they got it. They started building their offices, hiring their top talent, and creating google.cn but while they were building it China decided to cancel the license. Google had to spend another eighteen months negotiating with the Chinese government to get the license to operate in China. One of the requirements was to censor certain search results. For instance they wanted no results if you searched for Tiananmen Square protests. Google executives weren’t happy about all this censorship but still wanted to get in the Chinese market so they complied with all the censorship requirements. In 2007 an agreement was made and google.cn finally came up and online.

Millions of people began using the site but then the Olympics took place in 2008 in China. Ramping up for that, the Chinese government started requesting even more search terms to be censored, some that were very broad. The US executives at Google were very unhappy with this and expressed their frustrations but eventually complied thinking this new censorship was only temporary until the Olympics were over, but the censorship didn’t end after the Olympics ended. In fact, China requested even more broader search terms to be censored after the Olympics. Scary stuff too, like anything sexual in nature was banned and anything that criticized the Chinese government or politicians was banned search terms in google.cn.

The Google executives were even more angry with this. They thought they were now helping this country conduct their oppression and it made them dissatisfied with China. When these attacks happened in late 2009, Google created a massive war room not only to combat the attack technically but to determine what to do next. Sergey Brand, a co-founder of Google, was extremely upset with China over these attacks. He specifically was upset that the attackers tried to get into the Chinese civil rights activists’ accounts and that the Chinese government was censoring so much from its people. Sergey reminded the executives that the motto at Google is Don’t Be Evil and by helping China be oppressive they were, in fact, being evil.

Eric Schmidt, the Executive Chairman, did not agree. He reminded Sergey that they always complied with local laws in any country they operate in and that’s just part of doing business internationally. A very passionate and internal debate waged among the Google executives for almost four months trying to determine what to do about China. Eventually Larry Page, the other co-founder of Google, agreed with Sergey and the debate was over. Google had decided to shut down their google.cn website and close most of their offices in China. They redirected all their traffic to google.com.hk which is a version of Google built in Hong Kong because Hong Kong maintains a totally separate body of government with different laws.

Now when people in China went to google.cn they were able to search for sexual content and the Tiananmen Square protests because it was going through the Hong Kong version of Google. This was a huge deal for Google to shut down google.cn and pull out of China. China has the most population of any country in the world and Google is the most popular website in the world. There are more than twice as many people on the internet in China that there are total people in the US. Leaving a market this size will make a noticeable impact upon Google’s traffic and revenue but even more importantly it meant that Google would quit their fight over Chinese censorship laws.

Silence fell on all Google employees who read the memo. The news of shutting down the google.cn office was dropped at 6:00 a.m. Beijing time. Many of the Google employees in China learned about the announcements by co-workers calling them and waking them up. Panicked employees flooded the Google office in China with questions and concerns but management just told everyone to leave and gave them all tickets to go see the movie Avatar which had just came out. The next day employees came back to the Google office in China and Sergey himself had a teleconference call with all of them to explain the situation. It didn’t go well.

Emotions were high and employees felt that they were abandoned by the generals overseas in the middle of a war. A few months after that China blocked its people from being able to get to all Google sites including google.cn and google.com.hk. According to the website greatfire.org China has been blocking Google ever since. The major search engine that is used in China is called Baidu which if you search Tiananmen Square protests in there, you see stories about how the protests are a myth and didn’t happen. Ever since Operation Aurora, Google and many others have had to step up their defenses, knowing that more sophisticated attacks can hit even commercial companies. This attack forever changed how we see our adversaries when defending commercial networks.

[00:20:00] Security researchers at Symantec, Del Secure Works, and CrowdStrike dove further into Operation Aurora to try to understand the group behind these attacks. When Symantec investigated the malware further they found the code frequently used a variable with the name Elderwood so they called this hacking group Elderwood. CrowdStrike came up with a different name which was Sneaky Panda and Del called them the Beijing Group. I like Elderwood the most, so let’s stick with that one. Security researchers created a big list of everything that’s known about Operation Aurora and started building a dossier on the Elderwood group. For years after the attack researchers would examine other big hacks and breaches to try to find if there’s any connection with the Elderwood hacking group. Some connections were made; either the same Trojan was used, or the same command and control servers were used, or comments in the code were similar.

In the three years after Operation Aurora the Elderwood group was suspected to be behind seven different attack campaigns. [MUSIC] Each campaign resulted in numerous companies being hacked. The next attack they conducted after Operation Aurora contained a zero-day exploit using Adobe Flash. This is really interesting because during Operation Aurora they hacked into Adobe so we can speculate that maybe they did take the source code for Flash from Adobe and used it to build new exploits, because if you have the source code it’s much easier to find a vulnerability. In fact, they had five different zero-day exploits for Adobe Flash and were able to breach many companies using these exploits. This group had immense capabilities.

They seemed to be growing more powerful over time, stealing more source code from places like Google, Adobe, Oracle, and Microsoft and building more zero-day exploits with them. It seemed like the Elderwood hacking group had endless amounts of zero-day exploits it can use. Hacking using zero-day exploits is not actually that common. In 2011 there were only eight reported breaches that used a zero-day exploit in the attack, but four of those exploits was from the Elderwood group so you can see how this group was dominating the hacker scene. What else is strange about the Elderwood group is that they have this uncanny ability to know when their zero-day exploits is about to be discovered or fixed. When they get wind that it’s going to be patched they burn their zero-day by trying to hack as many places as they can all at once to get the most of it.

They may have access to an internal bug-tracking tool within Google or Microsoft or Adobe and they may have someone inside tipping them off. After Operation Aurora the Elderwood group changed their initial entry tactics. Instead of getting people to click the phishing e-mail they used what’s known as a watering-hole attack. This would hack into a popular website, put malware on it, and wait for users to visit the site to become infected. As soon as the victim’s computer would be infected, the hacking group would have full access to that computer. They also changed their targets. While attacking Microsoft, Google, and Adobe will help them find new exploits, it doesn’t look like that’s their primary objective.

They seem to be mostly interested in gaining access to defense companies, companies like Lockheed Martin, Raytheon, Boeing, and General Dynamics to name a few. These companies supply tanks, weapons, and planes to the US military. They presumably want access to these companies to gain information on the latest weapons and military technology, maybe also get a glimpse as to what the military has in stock. This would certainly be valuable information for a super power like China. But the Elderwood group doesn’t attack these companies directly. Instead they’re almost always seen hacking into suppliers and third party companies that deal directly with the top-tier defense companies. They’re also seen hacking into the suppliers of suppliers because if they can infect the supply chain and that software gets into the defense company, then it’s just as good as hacking into the defense company.

It’s easier and sneakier because those third party companies don’t have nearly the security defenses as a top-tier defense contractor. Elderwood would possibly study all the parts that are used in a specific weapon or tank and figure out which companies supply those parts or software and figure out which websites those companies visit to do their work. One website they infected was the Center for Defense Information in Washington, DC. This is a non-profit organization that posts information on military matters. People who visit this site are likely to be military or those working in the defense industry. Even if it’s a third party to a contractor, infecting them can be very valuable.

From there you can implant malware into software and that can make its way into bigger companies. Details aren’t given as to what companies were specifically hit by Elderwood. Symantec doesn’t release that information and those companies that are breached aren’t always required to publically disclose it so all we can tell from Symantec is the way the attacks happened and what types of companies were targeted. The second-biggest target for the Elderwood hacking group are human rights organizations. It’s suspected that the same group that did Operation Aurora in 2010 were also responsible for placing zero-day Flash exploits on the website for Amnesty International Hong Kong.

Users have visited that site, have become infected, and this group could then access their computers to see anything they wanted to see on that computer. Other sites that had zero-day exploits on them were International Institute for Counter-Terrorism and The Cambodian Institute of Foreign Affairs. Users who visited those websites in May of 2012 had a high likelihood of being infected and having their systems controlled by the Elderwood group. [00:25:00] Some researchers believe that there must be hundreds if not thousands of people working for this group.

There would be a team of developers to comb through the stolen source code to develop exploits, then there’s a team to gather information on the targets and do open-source intelligence gathering, then there’s a team that puts together the attacks and plans a way to get into places, then there’s a team to conduct the attack and sit there waiting for the infected machines to show up. Then there are people talented at knowing certain software to be able to grab the data they need and navigate around. Then there’s a team of analysts to make sense of the data once it’s stolen, then there must also be interpreters and spies and website developers and instructors and labs and commanders. The Elderwood group is well-funded, highly trained, and very advanced. A group like this doesn’t just show up overnight.

I suspect they probably have been working together for years, if not decades before being discovered like this. But still, we can only guess as to who they are based on the footprints they leave. Research papers have been published outlining the tactics, techniques, and procedures of the Elderwood group. Since then it appears they’ve changed their tactics to avoid being connected. Some researchers also believe they’ve broken up into smaller groups specifically designed for certain attacks such as spying on people or hacking into certain sectors. The hacking activity we continue to see from China today remains to be one of the most advanced, persistent threats. In 2015, US President Barack Obama and Chinese President Xi Jinping met to discuss cyber-attack diplomacy. They had dinner together and came to an agreement. The two presidents stood side-by-side on the White House lawn to explain what they agreed on.

OBAMA: I raised, once again, our very serious concerns about growing cyber threats to American companies and American citizens. I indicated that it has to stop. The United States government does not engage in cyber economic espionage for commercial gain and today I can announce that our two countries have reached a common understanding on the way forward. We’ve agreed that neither the US or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property including trade secrets or other confidential business information for commercial advantage. In addition we’ll work together and with other nations to promote international rules of the road for appropriate conduct in cyber space.

JACK: If I can break character for a second here; this is what I love about having a career in InfoSec. I can turn on the nightly news and sometimes see the president talking my lingo. It’s just amazing to see what I’m passionate about being talked about on the world stage like this. It’s awesome. Anyway, this agreement was likely a direct result from the project Aurora attacks. Then again in 2017, US President Donald Trump and the Chinese President Xi Jinping met at Mar-a-Lago and renewed the same truce that neither country would attack commercial sectors to steal intellectual property for commercial gain.

Personally I don’t think this truce has much value as both countries continue to do what they can to gather details from each other. Hacking into commercial companies to steal source code to develop new vulnerabilities is simply a part of that process. For instance China is suspect to be behind the virus found in CCleaner, a popular Windows clean-up tool, which that attack got them access to data at Microsoft and Google. China denied its involvement but even if it did admit to it they could just say that the data stolen wasn’t used for commercial gain. This agreement between the two is just weak and unenforceable. Now that we know the Elderwood hacking group is capable of targeting commercial sectors now, companies should take this as a cautionary tale, especially companies that supply to defense contractors.

If this attacking group knows that a defense company uses your product they might try hacking you to get into the defense company because it’s easier and sneakier. By taking on a defense company as a client it significantly increases your threat landscape. This is the modern-day arms race. Foreign countries will continuously be trying to hack into our government and defense companies to gather as much information as they can. At the same time our government is trying to gather information about foreign governments by hacking them as well. This makes it difficult to understand governments.

If the NSA finds a bug in Microsoft they might not tell Microsoft but instead they’ll keep it to themselves and potentially use it in a cyber-attack because they want to be one step ahead of the enemy. We’re seeing the US and foreign governments are keeping zero-day exploits just for themselves. Governments hacking into other governments or companies in other countries is now the new normal. Spyware vs. spyware, ghosts in the wire, cyber-patriots. This is the current battlefront that is secret and hidden from all of us until something goes wrong or gets sloppy or until someone wants us to see something.

JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. This episode is made by me, Jack Rhysider, with theme music [00:30:00] from the mysterious Breakmaster Cylinder. Okay, so a lot of you want more episodes of this show and I’ll make a deal with you. I’ll go back to producing two episodes a month if you can help me reach 3,000 followers on Facebook. Deal? Okay, if you’re in go to facebook.com/darknetdiaries and follow the page. Tell your friends to follow it too. I also posted a preview of the next episode on Facebook for you to check out right now so come on, let’s go do this.



Transcription performed by LeahTranscribes