The Operation Aurora was one of the first instances of a complex, state-sponsored cyber attack targeting multiple industries. It allegedly originated from China and targeted some of the most significant multinational corporations worldwide. The term “Aurora” was derived from the file path used in the malware involved in the attacks. The attack marked a turning point in cybersecurity, bringing state-sponsored cyber threats into the limelight.
The Adversaries and Their Prior Work
The exact identity of the perpetrators of Operation Aurora remains unconfirmed, but numerous indicators suggest it originated in China. The adversaries demonstrated advanced capabilities, suggesting that they were part of a well-resourced group or agency. Prior to Aurora, similar patterns of sophisticated, targeted attacks had been observed, hinting at an escalating trend. These threat actors typically aimed to steal intellectual property or gain geopolitical advantage, and their previous activities provided a blueprint for the techniques employed in Operation Aurora.
The Aurora Attack: A Step-By-Step Breakdown
- Initial Compromise: The attack began with a spear-phishing email sent to select employees in the targeted companies. This email contained a link that, when clicked, redirected users to a malicious website.
- Exploitation: The website exploited a then-unknown vulnerability in Microsoft’s Internet Explorer (IE). This vulnerability, later designated as CVE-2010-0249 (NVD), allowed the attackers to execute arbitrary code via a crafted web page viewed in IE.
- Installation of Malware: Once the vulnerability was exploited, a Trojan horse program was installed on the victim’s computer.
- Command and Control (C2): The installed malware then established a connection with the C2 servers, enabling the adversaries to control the infected systems remotely. The C2 communication was typically managed over HTTP and HTTPS protocols, camouflaged within normal network traffic to avoid detection.
- Lateral Movement and Data Exfiltration: The adversaries then moved laterally within the network, exploiting additional systems, and began to exfiltrate sensitive data to their own servers.
The Trojan Horse
The Trojan horse used in Operation Aurora was a sophisticated piece of malware that could download additional modules, escalate privileges, evade detection, and establish persistence on a victim’s system. Once installed, it allowed the attackers to execute commands, steal sensitive data, and even modify system settings.
MITRE ATT&CK Tactics
The Aurora attack involved several tactics identified in the MITRE ATT&CK framework:
- Spearphishing Link (T1192): The initial compromise was achieved through a spearphishing email containing a malicious link.
- Exploitation for Client Execution (T1203): The attackers exploited a vulnerability in Internet Explorer to install malware on the victim’s machine.
- Command and Control (T1071): The malware communicated with the C2 servers over standard HTTP and HTTPS protocols.
- Data Exfiltration (T1041): Sensitive data was exfiltrated from the victim’s network to the attacker’s servers.
This seminal blog post was published by Google in January 2010, detailing the company’s decision to review its operations in China following a sophisticated and targeted cyber-attack, later known as Operation Aurora. Google stated that the attacks, originating from China, aimed at compromising the Gmail accounts of Chinese human rights activists and stealing intellectual property from Google and at least twenty other large companies. The blog post marked a turning point in the world of cybersecurity, signifying the new challenges in the field of state-sponsored cyber espionage.
Google. “A New Approach to China.” Google Official Blog, 12 Jan. 2010, https://googleblog.blogspot.com/2010/01/new-approach-to-china.html.