Operation Aurora: Google's Been Hacked

2010-01-21

Kim Zetter, Wired.com, is reporting that a recent hack attack on Google, Adobe and other companies occurred through an exploitation of a zero-day vulnerability that affects many versions of Internet Explorer.

The attacks have been called "Operation Aurora" which is believed to be the name the hackers gave the attack.

An advisory posted by Microsoft acknowledges the new vulnerability along with a statement confirming that hackers breached Google and other specified companies using it. Microsoft has also provided suggestions on how users can mitigate their vulnerability until a patch can be released.

The article states that both Google and Adobe have acknowledged the attacks, with Threat Level reporting that at least 34 companies were breached, some of them through malicious PDF e-mail attachments that exploited a zero-day vulnerability in Adobe's Reader and Acrobat applications.

iDefense has said that hackers targeted the companies' source code repositories, installing a Trojan program called Trojan.Hydraq on the user's computer to siphon credentials and other data to gain further entry into the company's network, and succeeded in many cases in accessing those files. The hackers are said to have then transmitted stolen data to servers in the United States maintained by Rackspace before siphoning them to IP addresses in Taiwan.

Zetter writes that George Kurtz, McAfee's chief technology officer, indicates that the IE vulnerability may be just one of many attack routes the hackers used and that the attacks signify a wind of change in cyber espionage, noting that the attacks, which occurred over the Christmas and New Year holidays, were timed to hit during a period when companies would be least likely to detect them.

Kurtz wrote in his blog, "The current bumper crop of malware is very sophisticated, highly targeted, and designed to infect, conceal access, siphon data or, even worse, modify data without detection. These highly customized attacks known as 'advanced persistent threats' (APT) were primarily seen by governments and the mere mention of them strikes fear in any cyberwarrior. They are in fact the equivalent of the modern drone on the battle field. With pinpoint accuracy they deliver their deadly payload and once discovered - it is too late. All I can say is wow. The world has changed."

One of the most surprising outcomes of the attacks is Google's decision to stop censoring search results in China. Here is an excerpt from Google's official blog:

"Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers."

In the second to last paragraph, Google writes "We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China."