Operation Aurora: When China hacked Google

It’d been almost 11 years since Google publicly disclosed in a blog, that they’d been the victim of a sophisticated cyber-attack that targeted over 20 other companies and organizations, including Google, Adobe, Oracle, and Microsoft, etc.

Google is the most popular website on the Internet with over 90 billion visits in 2021 already. It’s so popular that many people around the world believe that Google is actually the Internet. 

It’s been almost 11 years since Google publicly disclosed in a blog, that they’d been the victim of a sophisticated cyber-attack that targeted over 20 other companies and organizations, including Google, Adobe, Oracle, and Microsoft, etc.

As a result of the attack, Google stated that some of its intellectual property had been stolen from what seemed Chinese factors and that it was reviewing its business in China causing huge reactions in the tech world from the global leaders.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and worth sharing ?

If you want to express your idea in an article contact us here for a quote: [email protected]

The breaking story unfolded

On January 12th, 2010, Google made a blog post named “A new approach to China” describing the attack that affected at least 20 large companies from June to December of 2009.

 They said that it was the most sophisticated cyber-attack they endured since their creation and that the virus used was not detected by any antivirus. 

With the news of the attack, and after some hours of the announcement, some of the companies affected like Adobe, admitted that they’d been attacked too, along with numerous companies like Microsoft, Yahoo, Juniper Networks. 

Operation Aurora – Name Origin

After the news broke, victims’ companies, law enforcement, and security companies all began an extended investigation.

McAfee got a sample of the malware to reverse engineer it and managed to found that when a cybercriminal executed the attack, it was running out of a folder called Aurora.  After finding that, McAfee security researchers were the first ones to call the attack Operation Aurora, because of the malware being inside that folder, named Aurora.

Malware path \Aurora_Src - source: content.secureworks.com 

Spear-phishing delight 

The attackers would profile an employee of the targeted company, elicit the information they need from the target, and then craft a perfect spear-phishing e-mail. They would spoof the Sender of the email to make it look like it was sent from a legitimate user, and finally trick them to click on the link inside the email.

The emails were so well-crafted and personalized that even an experienced security expert would find it hard to detect.

The way in – Internet Explorer Zero-Day

When the victim clicked on the link inside the email, it would take them to a fake website with malware on it. When the website was opened with an Internet Explorer browser, then the attacker would be able to exploit a fully patched internet explorer. The big issue here is that the particular malware was not known by Microsoft, so it was a zero-day bug on the mighty Microsoft.

Upon visiting the malicious site, the victims’ machine will be forced from the malware to perform commands that will download a new Trojan that will be able to infect a fully-patched version of Windows. The Trojan will then open a tunnel of communication back to the attackers so they could have full access to the victims’ machine. 

Chinese human activists Gmail accounts targeted.

The encryption of the malware was strong and stealthy as it was designed to appear like normal web traffic. The use of multiple exploits that weren’t known to anyone was the main reason for the success of the attacks. 

The zero-day attacks indicated that the cybercriminals had a well-funded base for their operations since the research and the development of these kinds of exploits can be done with a lot of research and money behind the scenes to fund the operations. 

The first clue that the attacks were coming from China was when Google went a step further to dig into the pieces of data to try and understand the attackers’ origins and what they were trying to achieve. 

They found out that the first target when compromising a victim’s machine was to access their Gmail account, but not just anyone’s e-mails, but specifically the human rights activists’ e-mails, and to their surprise not any human rights activists’ but they were after Chinese human rights activists’ Gmail accounts.

The situation took Google researchers by surprise when they discovered an odd connection between the compromised accounts. The connection was that every Gmail account user had a court order from the US law enforcement department when they requested to access those specific Gmail accounts. 

 Google, suspecting government espionage was able to stop them by reading their emails and were only able to tell when the account was created.

Finding Google’s source code via Perforce

Most of the companies have their source code kept at a secure location because it is considered intellectual property (when it’s not Open Source), large companies like Google have their source code kept in Software Configuration Management systems. The company that Google had its source code at the time was Perforce, and while researching the attacks, Google found various problems with the company. 

Attackers were able to locate the Perforce servers that hosted Google’s source code and used another zero-day vulnerability to get into Perforce’s systems.

McAfee findings on Perforce 

McAfee researchers found out that Perforce was insecure by default. Everyone could create their user without admin intervention., the passwords were un-encrypted along with all communications to Perforce. Their authentication was prone to directory traversal attacks and all the files were stored in cleartext.  

Once the attackers were “in” Google systems, they could access easily Perforce systems and it was said that they manage to steal some source code for the Google Chrome browser.

Emergency Patches

Microsoft, upon discovering the vulnerabilities on their Internet Explorer and Windows OS, quickly released update patches. McAfee also proceeded to created new virus signatures to detect the attacks in real-time. 

Further Analysis – Origin of attacks

Operation Aurora attacks were found on impacting multiple companies, this led to the assumption that the attack required a lot of people to conduct them. In other words, for such an operation to be carried on it required multiple teams. A team for developing the exploit, a team for researching and gathering information about the targets, and finally teams that would conduct the attack and access the source code remotely.

The origin of the attacks was seemed to coming from two different parts of China, both school locations, the Lanxiang Vocational School and Shanghai Jiao Tong University. The schools were both legitimate and well-established in China, but this only is not a definite answer to why the attacks originated from there. Underground hacking operations or using a server inside a school to wage their attacks could be a possibility.

Xiang Vocational School in China - source: china15min.files.wordpress.com

China is on the ropes with the US

After the information and data began to add up, it was clear that the attackers selectively accessed the Chinese human rights activists’ Gmail accounts and that the attacks were coming from the two Schools in China.

When the malware’s checksum algorithm was revealed, it was found that it was only used in China.

The circulating rumors lead to multiple media sources and the Secretary of State at the time, Hillary Clinton, to address the issue publicly as being an act of war, espionage on the US, etc.

Google’s History in China – google.cn

In 2005, Google started building the google.cn which was going to be a version of Google for people in China. Chinese people were blocked from being able to use sites like Facebook, Twitter, even google.com at the time. 

Google then got its license to operate in China, started building offices, hiring people to work and all seemed to go well until China canceled the license because they wanted to censor some search results like “Tiananmen Square protests”. 

However, Google executives weren’t happy about this censorship but eventually reach an agreement with Google and launched google.cn in 2007.

In 2008, when the Olympics were held in China, many people visited the site, but the Chinese government continued to request censorship of more search terms. The censorship requests went on and after the Olympics had ended. The requests included broader search terms to be censored, like anything in sexual nature, anything that criticized the Chinese government or politicians was banned search terms in google.cn. 

This made Google executives unhappy and expressed their frustrations about the censorship, believing that now are helping China to conduct their oppression to Chinese people.

Google users in Hong Kong hold a banner saying, "Say no to Internet censorship: Google, well done!" 

- source: http://edition.cnn.com/

Elderwood hacking group watering-hole attacks

After Operation Aurora the hacking group changed up its tactics. Instead of getting people to click the phishing email, they used a watering-hole attack. 

Waterhole attacks simplification - source: itsecuritycentral.teramind.co

They would hack into popular websites, upload malware and wait for regular users to visit the site and become infected, having full access to that computer. 

The Elderwood hacking group went on to change their targets, instead of Microsoft, Yahoo, Abode, they would go on and attack defense companies like Raytheon, Boeing General Dynamics, etc. These companies designed and manufactured weapons, army equipment, and planes for the Us military. They would hack into suppliers and third-party companies that dealt directly with those defense companies and not directly to them.

It’s easier and stealthier than attacking those companies directly and could possibly study how a military plane is made and used, figuring out which companies supply those parts or software, and then figure out which websites those companies visit to perform their work.

Elderwood as a hacking group

The team assembled to perform those attacks was highly specialized, trained, and well organized which indicates a country funding the group, presumably China in this case. 

They would probably be working together for years, a team of developers to develop exploits, a team to gather the recon-phase on the targets, a team that combines the recon findings and plan a way to get into companies and the team that performs the attacks and waits for targets to get compromised. 

Some researchers believe that they constantly change their tactics, and even broken up into smaller groups to avoid being connected with past cyber-crimes.

Aftermath

In 2015, Barrack Obama and Chinese President Xi Jinping met to discuss cyber-attack diplomacy. 

They finally came to an agreement in the end.

Despite that, the cyber-war continues between the US and China behind the scenes. China became a suspect for various hacking incidents since 2015, like the malware found in CCleaner, a popular windows clean-up tool, which with that attack the attackers accessed, again, data of Microsoft and Google.

Every country needs to be a step ahead of the other, and trying to gather as much information illegally to achieve that seems to be the way in today’s world.  

Foreign countries will continue to play cat and mouse as long as machines are connected to the Internet, which makes it something that we have to live with, learn and be better for the next attack.