Operation Aurora : A Deep Dive into the 2010 State-Sponsored Cyber Attack

Operation Aurora: a modern CTI deep dive into the 2009–2010 intrusion set
Operational CTI, incident response, nation-state tradecraft, CVE-2010-0249, Internet Explorer, Hydraq, Elderwood, IP theft, source code compromise, spearphishing, watering hole

1. Executive Summary

Operation Aurora refers to a cluster of targeted intrusions publicly disclosed in January 2010 after Google reported a “sophisticated cyber attack” originating from China and affecting Google and “more than twenty” other companies. According to Google’s January 2010 disclosure, the activity included attempts to access Gmail accounts associated with Chinese human rights activists and resulted in the theft of some Google intellectual property.

A key initial access vector was a then-unknown Internet Explorer remote code execution flaw later tracked as CVE-2010-0249, which Microsoft confirmed and patched via MS10-002. According to Microsoft’s Security Advisory 979352 and MS10-002, exploitation required a user to visit a specially crafted web page, enabling remote code execution under the user’s context.

Multiple security vendors and subsequent analyses link Aurora-era tooling to the Hydraq backdoor and to a suspected China-nexus intrusion set commonly referred to as Elderwood. MITRE’s group and software knowledge bases explicitly associate both Elderwood (G0066) and Hydraq (S0203) with Operation Aurora. See MITRE’s Elderwood profile and MITRE’s Hydraq entry.

2. Contextual Background

2.1 Nature of the threat

Campaign characterisation. Aurora is best understood as an early, highly visible example of modern cyber-espionage: tightly scoped targeting, social engineering, exploitation of a client-side zero-day, and follow-on deployment of a remote access capability to enable internal reconnaissance and data theft.

Primary vulnerability. The Internet Explorer flaw exploited in Aurora is tracked as CVE-2010-0249, described by NVD as a use-after-free condition enabling remote code execution, exploited in the wild during the timeframe associated with Operation Aurora.

• Microsoft Advisory for CVE-2010-0249
• NVD
  Microsoft’s corresponding patch vehicle is Microsoft Security Bulletin MS10-002.

2.2 Threat-actor attribution

Attribution remains contested. Google’s public statements described the activity as originating from China but did not publicly name a specific state entity. See Google’s January 2010 post and the subsequent March 2010 update.

Elderwood association (Possible). MITRE lists Elderwood as “suspected” and “reportedly responsible” for the 2009 Google intrusion known as Operation Aurora. This is not a judicial attribution, but it is a widely repeated CTI linkage. Confidence: Possible (credible CTI linkage, not formally confirmed by a government indictment).

• MITRE ATT&CK: Elderwood (G0066)

Tooling association (Likely). Hydraq is described by MITRE as “first used by Elderwood in the 2009 Google intrusion known as Operation Aurora.” Confidence: Likely (multiple CTI sources align on Hydraq as Aurora-era tooling; still, “Hydraq” is a vendor/common name applied to a family).

• MITRE ATT&CK: Hydraq (S0203)
  Additional technical commentary from Sophos discussed code artefacts and development timelines tied to Aurora tooling, while noting the limits of “hard evidence” for state sponsorship. See Sophos analysis.

2.3 Sector and geographic targeting

Who was targeted. Google publicly stated that more than twenty other companies were impacted in addition to Google. See Google’s disclosure and Google’s follow-up update. Public reporting and vendor analyses commonly discuss a concentration on high-value technology and IP-rich organisations, including software and security vendors.

Why these sectors. Reporting at the time strongly emphasised intellectual property theft and potential access to software development assets. For example, Wired summarised McAfee’s assessment that attackers targeted source code management systems as a route to “crown jewel” IP. See Wired’s March 2010 coverage.

3. Technical Analysis

3.1 Intrusion chain and mapped TTPs

While Aurora variations likely differed by victim, publicly described flows commonly include:

1. Targeted social engineering to drive a browser session to attacker-controlled content
   • Spearphishing containing links or lures that lead to a malicious page.
   • MITRE mapping: T1566.002 (Spearphishing Link)
2. Client-side exploitation in Internet Explorer
   • The malicious content triggered exploitation of CVE-2010-0249, enabling code execution when the page was viewed in Internet Explorer.
   • Microsoft confirmed IE as a vector used in targeted attacks and provided mitigations via advisory 979352 and later the MS10-002 patch. See Microsoft MSRC blog and Security Advisory 979352.
   • MITRE mapping: T1203 (Exploitation for Client Execution)
3. Payload delivery and execution (Hydraq and related components)
   • Vendor writeups describe the exploit downloading and running an executable which installed a remote access Trojan and enabled remote operators to interact with the host. See McAfee’s January 2010 details.
   • MITRE mappings (high-level, based on described behaviour):
     • T1105 (Ingress Tool Transfer)
     • T1059 (Command and Scripting Interpreter) if interactive command execution is observed
4. Command and control over common web protocols
   • C2 was described as blending into typical web traffic patterns (HTTP/HTTPS style communications are commonly referenced in public reporting). See McAfee’s writeup.
   • MITRE mapping: T1071.001 (Application Layer Protocol: Web Protocols)
5. Internal discovery, lateral movement, and theft of sensitive data
   • Public narratives focus on theft of IP and attempts to access specific account information. Google’s public disclosure highlighted both the IP theft element and targeting of activist-related accounts. See Google’s disclosure.
   • Where source code systems were targeted, the objective aligns with theft or manipulation of IP repositories, as summarised in Wired’s reporting on McAfee’s assessment.
   • MITRE mapping (objective-level): TA0010 (Exfiltration), with technique selection dependent on what is observed in telemetry.

3.2 Exploitation status and public PoC

Exploited in the wild (historical). NVD explicitly notes exploitation in the wild in December 2009 and January 2010 in connection with Operation Aurora.

• NVD

Vendor confirmation of active targeting. Microsoft stated that Internet Explorer was “one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.”

• Microsoft MSRC blog, 14 Jan 2010

Exploit code disclosure context (historical). Microsoft also acknowledged public exploit code for the vulnerability shortly after the advisory, increasing risk of broader opportunistic abuse at that time.

• MSRC: Advisory 979352 updated

4. Impact Assessment

4.1 Severity and scope

Technical severity. CVE-2010-0249 enables remote code execution via browser-based exploitation, historically affecting multiple IE versions across supported Windows platforms at the time. See MS10-002 and NVD.

Business impact. The campaign is frequently cited as a watershed moment because it highlighted the strategic value of targeting software development assets and intellectual property, not only traditional PII or financial records. Google confirmed theft of some of its intellectual property.

• Google’s disclosure
• Additional context on source code targeting: Wired coverage

4.2 Victim profile

Based on public disclosures and contemporaneous reporting, impacted organisations included large multinational enterprises with high-value IP and strategic geopolitical relevance. Google stated that the targeting extended beyond Google to more than twenty other companies.

• Google’s disclosure

5. Indicators of Compromise (IOCs)

Note on IOC completeness: Many Aurora-era technical indicators (specific C2 domains, IPs, file hashes) were not consistently preserved in modern, publicly accessible repositories, and several original distribution sites were reportedly taken offline quickly. Where sources do not publish concrete values, they are not reproduced here.

5.1 IOC table

5.2 Detection guidance

Because public, machine-ready rulesets for Aurora’s original droppers and C2 infrastructure are not consistently maintained, detection should focus on behavioural patterns that align with the described intrusion chain:

• Exploit prevention and browser telemetry
  • Block or tightly control legacy IE usage; monitor for anomalous IE child process creation and suspicious DLL loads consistent with exploit chains. Microsoft documented mitigations and the eventual fix via MS10-002. See MS10-002 and Advisory 979352.
• EDR analytics for ingress tool transfer and persistence
  • Watch for browser-originated downloads immediately followed by new autorun entries or suspicious startup persistence consistent with “RAT to load at startup”, as described by McAfee. See McAfee’s writeup.
  • MITRE analytic anchors: T1105, T1547 (Boot or Logon Autostart Execution) if persistence is observed in artefacts.
• Network detection for suspicious web-protocol C2
  • Identify workstation-to-internet patterns consistent with a newly installed backdoor beaconing over web protocols, especially unusual destinations immediately after a browser exploitation sequence. Aligns with T1071.001 and the general C2 descriptions in McAfee’s summary.

6. Incident Response Guidance

6.1 Containment, eradication, and recovery

Containment

• Isolate suspected endpoints where exploitation is observed (especially legacy IE hosts) and preserve volatile data where possible before reboot. The Aurora chain, as described publicly, relies on post-exploitation remote access. See McAfee’s summary and Microsoft’s targeted-attack context in MSRC guidance.
• Temporarily restrict outbound web traffic from high-risk user segments (developers, build engineers, source code administrators) pending triage, given the historical focus on IP and code repositories noted by Google and reporting on source code targeting. See Google disclosure and Wired coverage.

Eradication

• Patch vulnerable systems using the vendor’s fix (MS10-002) where relevant to historical environments, and remove legacy browsers from operational use. See MS10-002.
• Hunt for and remove Hydraq-related artefacts and persistence mechanisms consistent with a startup-loaded RAT, as described in vendor reporting. See MITRE Hydraq and McAfee’s details.

Recovery

• Reset credentials for impacted users, prioritising privileged developers and administrators, and validate repository integrity (commit history, access controls, build pipeline trust).
• Re-issue keys and certificates if there is any indication of code-signing compromise, and re-baseline CI/CD runners and developer workstations.

6.2 Forensic artefacts to collect and preserve

• Endpoint
  • Browser cache/history relevant to the exploitation timeframe.
  • Process execution chains around Internet Explorer and any anomalous child processes.
  • Persistence artefacts (startup folders, registry run keys, scheduled tasks).
  • RAT configuration files or embedded C2 strings where recoverable.
• Network
  • Proxy logs and DNS logs for unusual destinations following browser sessions.
  • Full packet capture for suspected beaconing windows (where available).
• Identity and code systems
  • Authentication logs for source code management systems and developer SSO.
  • Repository audit logs and unusual access patterns, consistent with the “crown jewel” targeting described in reporting. See Wired coverage.

6.3 Lessons learned and preventive recommendations

• Treat developer environments as Tier 0 assets: hardened endpoints, strong MFA, strict conditional access, and monitored egress.
• Explicitly threat model source code platforms and build pipelines, reflecting the historical emphasis on IP and code asset access highlighted in public reporting. See Google disclosure.

7. Threat Intelligence Contextualisation

7.1 Similar incidents and tradecraft parallels

Aurora is frequently cited as a precursor to broader industry awareness of:

• Zero-day enabled initial access against enterprise targets, later studied in academic work on real-world zero-day exploitation (Aurora/Hydraq is explicitly referenced as an example). See Bilge and Dumitras’ “Before We Knew It” paper.
• Watering hole tradecraft used in China-nexus espionage activity, which Symantec discussed in the Elderwood context. See Symantec’s “Elderwood Project” slides (PDF) and contextual reporting on watering hole tactics in espionage campaigns such as KrebsOnSecurity’s 2012 writeup.

7.2 Full MITRE ATT&CK mapping (publicly described behaviours)

8. Mitigation Recommendations

8.1 Actionable hardening steps

• Eliminate or isolate legacy browser exposure: Internet Explorer exploitation was central to the Aurora chain; ensure legacy browser dependencies are removed or heavily sandboxed. See MS10-002 and Microsoft’s advisory context.
• Browser and endpoint exploit controls: Enforce modern exploit mitigations, EDR tamper protection, application control for developer workstations, and script restrictions where feasible.
• Developer environment segmentation: Separate dev/build assets from standard user browsing networks; apply least privilege and strong auditing to repositories and CI/CD.

8.2 Patch management advice

• Prioritise known-exploited vulnerabilities: CVE-2010-0249 is historically a known-exploited-in-the-wild flaw per NVD and Microsoft’s targeted-attack statements.
  • Patch reference: Microsoft Security Bulletin MS10-002
  • Vulnerability reference: NVD
• Interim mitigations (historical context): Microsoft provided guidance in advisory 979352 for customers prior to patch availability and updated it as exploit code became public.
  • Microsoft Security Advisory 979352
  • MSRC: Advisory 979352 updated

9. Historical Context & Related Vulnerabilities

9.1 Related exploitation patterns

Aurora is often discussed alongside later China-nexus intrusion sets that operationalised repeated use of zero-days and watering hole infrastructure. Symantec’s Elderwood research describes a broader “attack platform” approach leveraging both spearphishing and web-based injections.

• Symantec “Elderwood Project” (PDF)

9.2 Related coverage

• Google’s original and follow-up public statements remain foundational for understanding stated objectives and impacts:
  • Google’s January 2010 disclosure
  • Google’s March 2010 update

10. Future Outlook

Aurora’s enduring relevance is less about the specifics of Internet Explorer and more about the model it helped popularise: strategic targeting of IP-rich organisations using a blend of social engineering, zero-day exploitation, and bespoke malware to reach high-value internal systems.

Two trends first made broadly visible to many defenders during the Aurora era remain persistent today:

1. Exploit-led initial access will continue where strategic value is high. Academic work on zero-day exploitation highlights the value and real-world deployment of such capabilities, with Hydraq/Aurora repeatedly used as a reference point. See Bilge and Dumitras’ paper.
2. Development environments will remain prime targets. Public reporting on Aurora’s focus on source code management systems helped cement a long-running lesson: if an adversary can compromise code, build systems, or signing, downstream compromise scales dramatically. See Wired’s reporting.

11. Further Reading

Vendor and primary statements

• Google’s January 2010 disclosure: “A new approach to China”
• Google’s March 2010 update on the China decision and attack context
• Microsoft Security Advisory 979352 for CVE-2010-0249
• Microsoft Security Bulletin MS10-002

ATT&CK references

• MITRE: Elderwood (G0066)
• MITRE: Hydraq (S0203)

Additional technical and analytical context

• Sophos analysis: “Operation Aurora: Clues in the Code”
• Symantec: “The Elderwood Project” (PDF)
• NVD entry for CVE-2010-0249
• Academic study of zero-day exploitation referencing Hydraq/Aurora (PDF)