China-Related Cyber Attacks on Major Firms (“Aurora”)

In mid-December, Google discovered that attackers coming from China had breached its network. The attacks were “highly sophisticated and targeted,” and the attackers stole intellectual property. Evidence from a server used as a data drop showed that at least 20 — and possibly as many as 33 — other companies were attacked. In Google’s case, at least two Gmail accounts belonging to human-rights advocates in China were monitored by the attackers in a limited way.

I’ve completely revamped this page to make it more easily readable and with sources collected at the end. This page will be updated to reflect the current status of what is known about the attackers, the techniques used, and the victims. If you have any information on the attacks, or comments on how better to present this information, feel free to contact me.

Latest News

January 18, 2010 Security researcher Dino Dai Zovi claims [SecFocus-0118] that he is able to get the Internet Explorer exploit working on Internet Explorer 7 for Windows XP and Vista. Foreign journalists in China have reportedly [IDG-0118] had their GMail accounts hacked. Attackers operating a server in Taiwan appear to be using malicious PDF files [FSec-0118] to compromise and exfiltrate data from defense contractors. Google is investigating whether an insider may have helped the attacker, according to Reuters [Reuters-0118].

Current Questions

1. Google pinpointed China as the source of attacks. Did the attacks actually originate in China? Was the government involved?
2. Early reports focused on recent flaws in Adobe’s Reader and Acrobat. Were those flaws used in any of the attacks?

Events

In mid-December, Google discovers that its network had been breached by attackers coming from China. The attacks were “highly sophisticated and targeted,” [Google-0112] and the attackers stole intellectual property. The attackers also got some information from two Gmail accounts belonging to human-rights advocates in China. They were only able to access some account information and the subject lines of the e-mail messages, not the complete contents.

Both the Internet addresses of the source of the attack and those of the server where exfiltrated information was sent corresponds to “a single foreign entity, consisting either of agents of the Chinese state or proxies thereof.” [iDefense-0113]

The attackers in many of the cases used a zero-day flaw in Adobe Acrobat and dropped the Hydraq trojan. [Wired-0113][iDefense-0114]

The attackers in at least one case used a zero-day flaw in Microsoft’s Internet Explorer to drop malicious code onto the victim’s PC. McAfee researchers [McAfee-0114] analyzed several samples from clients and affected firms.

The attackers essentially conducted surveillance by accessing the features of Google’s network that enable law enforcement to conduct wiretaps. Attributed to an unnamed source in [IDG-0113].

The attackers exfiltrated the data to a compromised server hosted by Rackspace [WSJ-0113], before moving it overseas. Rackspace is not considered a victim, because, while they hosted the site [RSpace-0113], the owner was in charge of administration.

Companies Affected

“at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors” [Google-0112]

Google plus 33 other companies [iDefense-0113]

• Google [Google-0112]
• Adobe: Likely [WSJ-0113]
• Microsoft: Official statement [MSFT-0113] says none of the company’s “mail properties” were affected.
• Juniper, anonymous source interviewed by UnsafeBits
• Symantec, according to anonymous congressional and industry sources in [WaPo-0114]
• Yahoo, according to anonymous congressional and industry sources in [WaPo-0114]
• Northrup Grumman, according to anonymous congressional and industry sources in [WaPo-0114]
• Dow Chemical, according to anonymous congressional and industry sources in [WaPo-0114]

The Attackers

Attacks “originated from China,” according to [Google-0112]. (Note: Several security experts interviewed by UnsafeBits have stated that Google’s assertion means the company must be fairly certain that it has correctly tracked the source of attacks.)

Attacks launched from six IP addresses located in Taiwan, a common staging ground for Chinese espionage, according to the director of Center for Intelligence Research and Analysis at Defense Group Inc. [WSJ-0113]

The attacks appear to be connected to a targeted attack using PDF files sent to 100 IT-focused organization in July 2009. Details gathered by iDefense show a high correlation between the two attacks: The attacks both used PDF files to deliver a malicious payload, dropped Windows DLL files to compromise the victim’s machines, and communicated with C&C servers on the same subnet and hosted by a single provider. [iDefense-0114]

Reports of the attack seem similar to attacks on CYBERsitter in June 2009 and on the company’s law firm, which is suing China, two Chinese developers, and seven PC makers for IP violations. (Source: Comparisons of Google’s description of attacks with those of CYBERsitter and its law firm, Gipson Hoffman & Pancione in [UnsafeBits-0115])

Change History

January 14, 2010 Updated with Rackspace comment and reports of attacks on U.S. law firm. Updated with latest victims from Washington Post report and with additional vector — via a previously unknown Internet Explorer flaw — as reported by McAfee.
January 15, 2010 First reports of public code exploiting the Internet Explorer vulnerability.

Sources

[Bloom-0115] Lakshmanan, Indira A.R. U.S. Will Protest to China Over Google Cyber Attack, Bloomberg, Web: 15 January 2010.
[FSec-0118] Hypponen, Mikko. On-going Targeted attacks against US Military contractors, F-Secure’s Research Blog, Web: 18 January 2010.
[Google-0112] Drummond, David. A New Approach to China, The Official Google Blog, Web: January 12, 2009.
[iDefense-0113] iDefense corporate statement e-mailed to UnsafeBits, 13 January 2010.
[iDefense-0114] UnsafeBits interview with iDefense spokesperson, 14 January 2010.
[IDG-0113] McMillan, Robert. Google Attack Part of Widespread Spying Effort, IDG News, Web: 13 January 2010.
[IDG-0118] Fletcher, Owen. Gmail of Foreign Journalists in China Hijacked, IDG News, Web: 18 January 2010.
[McAfee-0114] Kurtz, George. Operation “Aurora” Hit Google, Others, McAfee Security Insights Blog, Web: 14 January 2010.
[MSFT-0113] Microsoft statement to press sent to UnsafeBits. 13 January 2010.
[Reuters-0118] Google probing possible inside help on attack, Reuters, Web: 18 January 2010.
[RSpace-0113] Stephensen, Fran. Rackspace Response to Cyber Attacks, Rackspace Web site, Web: 13 January 2010.
[SecFocus-0118] Lemos, Robert. Attack on IE 0-day refined by researchers, SecurityFocus, Web: 18 January 2010.
[UnsafeBits-0115] Lemos, Robert. Of Tailored Attacks and Chinese Trojans, UnsafeBits, Web: 15 January 2010.
[WaPo-0114] Cha, Ariana Eunjung and Ellen Nakashima, Google China cyberattack part of vast espionage campaign, experts say, Washington Post, Web: 14 January 2010.
[Wired-0113] Zetter, Kim. Google Hackers Targeted Source Code of More Than 30 Companies, Wired.com, Web: 13 January 2010.
[WSJ-0113] Vascallero, Jessica E., Jason Dean and Siobhan Gorman. Google Warns of China Exit Over Hacking, Wall Street Journal, 13 January 2010.