Operation Aurora Hacking Google.
What happens when a country attacks a company? In 2009, Google found out and cybersecurity was never the same again.
An inside look at the historic attack where the Google network was breached by a foreign government trying to access the Gmail accounts of human rights activists. In the wake of the breach, Google revolutionized its approach to security overhauling everything and developing highly specialized teams of elite experts to stay ahead of the ever-evolving threat landscape.
In January 2010, Google disclosed that it had become a victim of a sophisticated cyberattack originating in China. The attackers targeted Google’s corporate network, which resulted in intellectual property theft and access to Gmail accounts of human rights activists. Besides Google, the attack also targeted over 30 companies in the fintech, media, internet, and chemical sectors.
These attacks were conducted by the Chinese Elderwood Group and later termed by security experts as Operation Aurora. Operation Aurora was a series of targeted cyberattacks against dozens of organizations, including Google, Adobe, Yahoo, Symantec, Morgan Stanley, Rackspace, and Dow Chemicals, among others. Google first shared details of the attacks in a blog post which claimed that these were state sponsored attacks.
Soon after Google’s announcement, more than 30 other firms revealed that the same adversary had breached their corporate networks.
The name of the attacks comes from references in the malware to a folder named “Aurora” found by MacAfee researchers on one of the computers used by the attackers. This cyber espionage operation was initiated using the phishing attack. Initially, the targeted users received a malicious URL in an email or instant message that initiated a series of events. As the users clicked the URL, it would take them to a website that executed further malicious JavaScript code.
The JavaScript code exploited a vulnerability in Microsoft Internet Explorer that was fairly unknown at the time. The zero-day exploit allowed malware to run in Windows and set up a backdoor for the cybercriminals to take control of the system and steal credentials, intellectual property, or whatever else they were seeking.
Operation Aurora was a highly sophisticated and successful attack. But the real reasons behind the attack remain unclear. When Google disclosed the Aurora bombshell, it stated the following reasons and consequences:
- Intellectual Property Theft: The attackers targeted the corporate infrastructure, which resulted in intellectual property theft.
- Cyber Espionage: It also said that the attacks were part of a cyber espionage operation that tried to infiltrate Gmail accounts of Chinese dissidents and human rights activists.
However, a few years later, a senior director of Microsoft stated that the attacks were actually meant to probe the US government, to check whether it had uncovered the identity of undercover Chinese agents performing their duties in the United States.
Operation Aurora is a widely discussed cyberattack because of the nature of the attacks. Here are a few key points that make it stand out:
- This was a highly targeted campaign in which the attackers had thorough intelligence on their targets. This might hint at the involvement of a larger organization and even nation-state actors.
- Cyber incidents happen all the time, but many companies don’t talk about them. For a company as sophisticated as Google, coming out and disclosing it in public is a big deal.
- Many security experts hold the Chinese government responsible for the attacks. If the rumors are true, then you’ve got a situation in which a government is attacking corporate entities in a manner never exposed before.
Four months after the attacks, Google decided to shut down its operations in China. It ended Google.com.cn and redirected all the traffic to Google.com.hk which is a Google version for Hong Kong, since Hong Kong maintains different laws to mainland China at that time.
The Operation Aurora attacks revealed that even organizations with significant resources like Google, Yahoo, and Adobe can still be victimized. If big IT companies with enormous funding can be hacked, then smaller firms with fewer resources will have a hard time defending against such attacks. However, Operation Aurora also taught us certain important lessons that can help us defend against similar attacks.
Beware of Social Engineering
The attacks highlighted the risk of the human element in cybersecurity. Humans are the primary propagators of attacks and the social engineering nature of clicking unknown links hasn’t changed. They need to educate employees on safe cybersecurity practices and how they interact with technology.
Use Encryption
VPNs, proxy servers, and multiple layers of encryption can be used to hide malicious communications on a network.
To detect and prevent the communications of compromised computers, all the network connections must be monitored, particularly those going outside the company’s network. Identifying abnormal network activity and monitoring the volume of data going out from a PC can be a good way to evaluate its health.
Run Data Execution Prevention
Another way to minimize security threats is by running Data Execution Prevention (DEP) on your computer. DEP is a security feature that prevents unauthorized scripts from running in your computer memory.
You can enable it by going to System and Security > System > Advanced System Settings in Control Panel.
Turning on the DEP feature will make it harder for attackers to carry out Aurora-like attacks.
Aurora Google and the Way Forward
The world has never been more exposed to the risks of state-sponsored attacks as it is now. Since most companies now rely on a remote workforce, maintaining security is harder than ever.
Fortunately, companies are quickly adopting the zero-trust security approach that works on the principle of trusting no one without continuous verification.