Aurora Operation is a series of cyber attacks carried out by sophisticated persistent threats like the Elderwood Group based in Beijing, China, with ties to the People's Liberation Army. First publicly disclosed by Google on January 12, 2010, in a blog post, the attacks began in mid 2009 and continued until December 2009.
The attack was aimed at dozens of other organizations, with Adobe Systems, Juniper Networks and Rackspace openly confirming that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical were also targeted.
As a result of the attack, Google said in its blog that it plans to operate a completely uncensored search engine version in China "in law, if any," and admits that if it is not possible to leave China and close its offices in China. The official Chinese source claims this is part of a strategy developed by the US government.
The attack was named "Operation Aurora" by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee. Research by McAfee Labs found that "Aurora" is part of a file path on an attacker machine that belongs to two malware binaries that McAfee says is associated with the attack. "We believe the name is the internal name of the attacker given for this operation," said McAfee Chief Technology Officer George Kurtz in a blog post.
According to McAfee, the main purpose of the attack is to gain access to and potentially change the source code repository in this high-tech, security and defense contractor company. "[SCM] is wide open," Alperovitch said. "Nobody has ever thought of securing them, but this is the crown of most of these companies in many ways - far more valuable than any financial data or personal identification they may have and spend so much time and effort to protect."
Video Operation Aurora
Histori
On January 12, 2010, Google revealed on his blog that it was a victim of cyber attacks. The company said the attack took place in mid-December and originated in China. Google claims that more than 20 other companies have been attacked; Other sources have since mentioned that more than 34 organizations are being targeted. As a result of the attack, Google said it was reviewing its business in China. On the same day, US Secretary of State Hillary Clinton issued a brief statement condemning the attack and calling for a response from China.
On January 13, 2010, the All Headline News news agency reported that the United States Congress plans to investigate Google allegations that the Chinese government is using corporate services to spy on human rights activists.
In Beijing, visitors leave flowers outside Google's office. However, this was later removed, with a Chinese security guard stating that this was an "illegal interest award". The Chinese government has yet to issue an official response, although an anonymous official has stated that China is seeking more information about Google's intentions.
Maps Operation Aurora
Attacker involved
Technical evidence including IP addresses, domain names, malware signatures, and other factors, suggests Elderwood is behind the Aurora Operation attack, one of the many attacks carried out by the Elderwood gang and others such as PLA Unit 61398, a persistent advanced threat based group in Shanghai also called "Comment Crew", is called a technique often used by groups that involve internal software "comment" features on web pages, used to infiltrate the target computer accessing the site. The two largest groups can employ hundreds of people, and work to compromise security and siphon business ideas, sophisticated designs, and trade secrets from various foreign computer networks. The group behind the Aurora Operation attack was dubbed "Elderwood" by Symantec after variable source code used by attackers, and "Group Beijing" by Dell Secureworks. The group acquired some Google source code, as well as access to information about Chinese activists. Together with other groups such as Unit 61398, it also targets many other companies in the shipping, aeronautics, weapons, energy, manufacturing, engineering, electronics, finance, and software sectors.
Elderwood specializes in attacking and infiltrating second tier defense industry suppliers that create electronic or mechanical components for top defense companies. The companies then became cyber "stepping stones" to gain access to top-class defense contractors. One of the attack procedures used by Elderwood is to infect legitimate websites that are frequently visited by target company employees - called "water hole" attacks, like lions stalking watering holes for their prey. Elderwood infects these less secure sites with malware that downloads to the computer that clicks on the site. Afterwards, the group searches within the network connected to the infected computer, finds and then downloads executive emails and important documents about company plans, decisions, acquisitions, and product designs.
Analysis of attacks
In his blog post, Google claimed that some of his intellectual property had been stolen. It shows that attackers are interested in accessing Gmail accounts from Chinese dissidents. According to the Financial Times , two accounts used by Ai Weiwei have been attacked, their contents read and copied; his bank account was investigated by a state security agent who claimed he was being investigated for "an unspecified suspect's crime". However, the attacker can only see the details on two accounts and the details are limited to things like the subject line and account creation date.
Security experts immediately noted the sophistication of the attack. Two days after the attack became public, McAfee reported that the attackers had exploited the zero-day vulnerability it claimed (not repaired and previously unknown to the target system developers) in Internet Explorer and dubbed the "Operation Aurora" attack. A week after the report by McAfee, Microsoft issued a fix for this problem, and admitted that they already knew about the security hole that was used since September. An additional vulnerability is found in Perforce, the source code revision software used by Google to manage its source code.
VeriSign's iDefense Lab claims that the attack was carried out by "Chinese state agents or proxies thereof".
According to a diplomatic cable from the US Embassy in Beijing, Chinese sources reported that the Chinese Politburo directed disruption to Google's computer system. Cable stated that the attack was part of a coordinated campaign carried out by "government operations, public security experts and internet criminals recruited by the Chinese government." The report indicates that it is part of an ongoing campaign in which the attackers have "broken into computers of the American government and Western allies, the Dalai Lama and American businesses since 2002." According to The Guardian's report on leaks, the attack was "governed by senior Politburo members who typed their own names into global versions of search engines and found articles that criticized him personally."
Once the victim system is compromised, the backdoor connection masquerading as an SSL connection makes connections to command and control servers running in Illinois, Texas and Taiwan, including machines running under the stolen Rackspace customer account. The victim's machine then starts exploring the protected corporate intranet that is part of, looking for other vulnerable systems as well as intellectual property resources, specifically the contents of the source code repository.
The attack is thought to have ended definitively on January 4 when command and server controls are downgraded, although it is not known at this point whether the attacker intentionally turns it off or not. However, the attack still occurred in February 2010.
Response and aftermath
The governments of Germany, Australia, and France have publicly issued warnings to Internet Explorer users after the attack, advising them to use an alternative browser at least until repairs for security holes are made. The governments of Germany, Australia, and France consider all versions of Internet Explorer vulnerable or potentially vulnerable.
In an adviser on January 14, 2010, Microsoft said that attackers targeting Google and other US companies use software that exploits holes in Internet Explorer. The vulnerability affects Internet Explorer versions 6, 7, and 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, and IE 6 Service Pack 1 in Windows 2000 Service Pack 4.
The exploit code of Internet Explorer used in the attack has been released to the public domain, and has been incorporated into the Metasploit Framework penetration testing tool. The copy of the exploit was uploaded to Wepawet, a service to detect and analyze web-based malware operated by computer security groups at the University of California, Santa Barbara. "The public release of the exploit code increases the likelihood of widespread attacks using Internet Explorer's vulnerabilities," said George Kurtz, CTO of McAfee, about the attack. "Now public computer code can help attacks of cyber criminals who use vulnerabilities to compromise with Windows systems."
Websense security firm says it identifies "limited public use" of an unpatched IE vulnerability in a drive-by attack against a user who is lost to a malicious Web site. According to Websense, the attack code looks the same as the exploits published last week. "Internet Explorer users are currently facing real danger and are present because of public disclosure of vulnerability and code release attacks, increasing the likelihood of widespread attacks," said George Kurtz, chief technology officer of McAfee, in blog updates. Confirming this speculation, Websense Security Labs identified additional sites using exploits on January 19th. According to a report from Ahnlab, the second URL is distributed via the Misslee Messenger Instant Messenger network, IM clients popular in South Korea.
Researchers have created attack codes that exploit vulnerabilities in Internet Explorer 7 (IE7) and IE8 - even when Microsoft's recommended Execution Prevention (DEP) action is turned on. According to Dino Dai Zovi, a security vulnerability researcher, "even the latest IE8 is not safe from attack if it runs on Windows XP Service Pack 2 (SP2) or earlier, or on Windows Vista RTM (release to manufacturing), Microsoft version sent in January 2007. "
Microsoft acknowledged that the security hole used has been known to them since September. Work on prioritized updates and on Thursday, January 21, 2010, Microsoft released security patches aimed at addressing these flaws, published exploits based on it and a number of other privately reported vulnerabilities. They do not state if any of the latter have been used or published by the exploiters or whether this has a special relationship with the Aurora operation, but all cumulative updates are considered important for most Windows versions, including Windows 7.
Security researchers continue to investigate the attack. HBGary, a security company, released a report in which they claimed to have found some significant markers that might help identify code developers. The company also said that the code is Chinese based but can not be specifically related to government entities.
On February 19, 2010, a security expert who investigated cyber attacks on Google, has claimed that the people behind the attack were also responsible for cyber attacks committed on several Fortune 100 companies in the past year and a half. They also tracked counterattacks to their original point, which appeared to be two Chinese schools, Shanghai Jiao Tong University and Lanxiang Vocational School. As highlighted by The New York Times, both schools have links with Chinese search engine Baidu, a rival of Google China. Both Lanxiang Vocational and Jiaotong University have denied the allegations.
In March 2010, Symantec, which helped investigate attacks for Google, identified Shaoxing as the 21.3% source of all malicious emails sent worldwide.
To prevent future cyber attacks such as Aurora Operations, Amitai Etzioni of the Institute for Communitarian Policy Studies has suggested that the United States and China agree on mutually convincing control policies with respect to cyberspace. This will involve allowing both countries to take measures they deem necessary for their self-defense while simultaneously agreeing to refrain from taking offensive measures; it will also require an examination of this commitment.
See also
- Honker Union
- Cyber-warfare
- Titan Rain
- Chinese intelligence activities in other countries
- GhostNet
- Economic and Industrial Espionage
- Chinese Intelligence Operations in the United States
- Vulcanbot
References
External links
- Forget Blame Microsoft or Google - Blame Yourself AEON
- Google China insiders may have helped with news.cnet.com attacks
- Aurora Operation - The Beginning of an Ultra-Sophisticated Hacker Attack Era! Sporkings.com January 18, 2010
- In Google We Believe Why corporate deadlock with China can change the future of the Internet. Rafal Rohozinski was interviewed by Jessica Ramirez of Newsweek in 2010.1.29
- Cyber ​​Attack â € <â €
- 'Google' Hackers Have Ability to Change Source Code Wired.com March 3, 2010
- 'Aurora Code' is distributed over the years on English-language sites Where is China's connection?
- Google is torn down by Chinese hairdressers. Curls and coloring westerners
- Gross, Michael Joseph, "Enter the Cyber-dragon", Vanity Fair , September 2011.
- Bodmer, S., Kilger, M., Carpenter, G., & amp; Jones, J. (2012). Reverse Fraud: Organized Cyber ​​Threats â € <â €
. New York: McGraw-Hill Osborne Media. ISBNÃ, 0-07-177249-9, ISBNÃ, 978-0-07-177249-5 - Operation Aurora Internet Explorer exploits - live!
- Aurora McAfee Operations Overview
- Aurora Operation Explained by CNET
Source of the article : Wikipedia
0 Comments