Operation Aurora – World History

Table of Contents

BACKGROUND

On January 12, 2010, Google revealed on its blog that it had been the victim of a cyber attack. The company said the attack occurred in mid-December and originated from China.
Google stated that over 20 other companies had been attacked; other sources have since cited that more than 34 organizations were targeted.

Technical evidence including IP addresses, domain names, malware signatures, and other factors, show Elderwood was behind the Operation Aurora attack, one of numerous attacks conducted by the Elderwood gang and others such as PLA Unit 61398 (also known as APT1).
The group obtained some of Google’s source code, as well as access to information about Chinese activists. Along with other groups such as Unit 61398, also targeted numerous other companies in the shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors.

Elderwood specializes in attacking and infiltrating second-tier defense industry suppliers that make electronic or mechanical components for top defense companies. Those firms then become a cyber “stepping stone” to gain access to top-tier defense contractors.
Elderwood infects these less-secure sites with malware that downloads to a computer that clicks on the site. After that, the group searches inside the network to which the infected computer is connected, finding and then downloading executives’ e-mails and critical documents on company plans, decisions, acquisitions, and product designs.

In its blog posting, Google stated that some of its intellectual property had been stolen. It suggested that the attackers were interested in accessing Gmail accounts of Chinese dissidents.
A week after the report by McAfee, Microsoft issued a fix for the issue, and admitted that they had known about the security hole used since September.
According to a diplomatic cable from the U.S. Embassy in Beijing, a Chinese source reported that the Chinese Politburo directed the intrusion into Google’s computer systems.

The cable suggested that the attack was part of a coordinated campaign executed by “government operatives, public security experts and Internet outlaws recruited by the Chinese government.“
The attacks were thought to have definitively ended on Jan 4 when the command and control servers were taken down, although it is not known at this point whether or not the attackers intentionally shut them down.

The German, Australian, and French governments publicly issued warnings to users of Internet Explorer after the attack, advising them to use alternative browsers at least until a fix for the security hole was made.
The German, Australian, and French governments considered all versions of Internet Explorer vulnerable or potentially vulnerable.
Microsoft admitted that the security hole used had been known to them since September. Work on an update was prioritized and on Thursday, January 21, 2010, Microsoft released a security patch aiming to counter this weakness.