Operation Aurora was a series of counter-espionage cyber attacks carried out by Chinese government against a number of leading companies including Google, Microsoft,& Adobe in United States of America and other western countries. The attacks first revealed by Google in January 2010, first started from mid 2009 and continued till late December. These attacks were named “Operation Aurora” byDmitri Alperovitch Vice President of Threat Research at cyber security company McAfee after the part of the file path on the attacker’s machine that was included in two of the malware binaries associated with the attack. In simple terms the hackers used a Trojan named “Aurora”.
What was the purpose of Operation Aurora?
As per the experts these cyber attacks were meant for counter-intelligence. When Google dropped the Aurora bombshell in 2010, it said the attackers were trying to infiltrate the Gmail accounts of Chinese human rights advocates. Google in its blog described the attack as “a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property.”
However, three years later Dave Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments said the attackers were actually probing whether the U.S. government had uncovered the identity of clandestine Chinese agents operating in the United States. He did not say anything on the claims of Google. The purpose of attack revealed by Dave Aucsmith has wider acceptance among security professionals and government. It has been said by various former government officials that attackers successfully accessed a database that flagged Gmail accounts marked for court-ordered wiretaps. Such information would have given attackers insight into active investigations being conducted by the FBI and other law enforcement agencies that involved undercover Chinese operatives. “Knowing that you were subjects of an investigation allows them to take steps to destroy information, get people out of the country,” a former U.S. government official with knowledge of the breach told the Washington Post.
Various other motives have also been ascribed to these attacks. As per The Guardian the attacks were orchestrated by a senior member of the Politburo who typed his own name into the global version of the search engine and found articles criticizing him personally.
According to a leaked diplomatic cable from the U.S. Embassy in Beijing, a Chinese source reported that the Chinese Politburo directed the intrusion into Google’s computer systems. The cable suggested that the attack was part of a coordinated campaign executed by “government operatives, public security experts and Internet outlaws recruited by the Chinese government.” The report suggested that it was part of an ongoing campaign in which attackers have “broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002.
How was the attack carried out?
The attackers wanted to gain the control of the computer systems. For complete control, they required “elevated access” to the system.The attackers exploited a zero-day vulnerability in the Internet Explorer using a malware to gain this elevated access. They used multiple layers of encryption on network traffic to carry out the hack clandestinely.
The Google attackers are said to have exploited the backdoor wiretaps in Gmail accounts as mandated by the US government to access the activist accounts. These backdoors were created by the Google itself so that government can monitor user data. The same backdoors were exploited by the Chinese hackers to gain entry into the Gmail accounts. Once a victim’s system was compromised, a backdoor connection that masqueraded as an SSL connection made connections to command and control servers running in Illinois, Texas, and Taiwan, including machines that were running under stolen Rackspace customer accounts. The victim’s machine then began exploring the protected corporate intranet that it was a part of, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories.
Once it was confirmed that there was a Zero-day vulnerability in Internet Explorer, many governments including that of Germany, France and Australia advised its citizens to shift from all versions of internet explorer to some other browser. Two days later Microsoft announced that it had fixed the vulnerability. The Internet Explorer exploit code was later released into public and has been incorporated into Metasploit Framework penetration testing tool.