Aurora Group Logo



Security Blog


What Happened with Google?

Copyright  2010 Aurora Group, Inc.  All Rights Reserved




The attack on Google and 30 other companies in  late 2009 has generated a lot of buzz on APTs or Advanced Persistant Threats.  This article covers whats is known about the Google attack and discusses APTs in general.  A future article will cover APT defense.

The Google attack came
to light with an article published on the official Google Blog titled A New Approach to China.   It is somewhat unusual for a company to admit being the victim of an attack, but the scale of this attack was so large amd not just limited to Google that they apparently felt the need to go public.  With few exceptions, the other 30 or so companies targeted have not been identified.

In the blog post, Google identified the primary goal of the attackers as accessing accounts of human rights activists in China.   Third party reports, including this article from Wired, indicate that the goal of the attack was intellectual property such as source code, financial data, and trade secrets.  Recently an article in the New York Times reported that the intruders acquired at least parts of the Google Single Sign-on package, also known as Gaia.  The attackers were able to gain access to the source code control system.  This is particularly worrisome since it might be possible to insert a trojan into the system, or at the very least, study the code for weaknesses.

A breach of this magnitude is a security nightmare.  Nothing on the breached system can be trusted (as well as whatever is on any other systems that have trusted connections with the breached system).  It is quite possible, for example, if you have access to a development system, to modify the compiler to insert backdoor code into any or all generated code.  The pernicious part about this, is that it is possible to do this in a way that is nearly impossible to identify without single stepping through the code (assuming you have a debugger that has not been modified to ignore the backdoor).  This article has a short description of the technique developed by Ken Thompson to do just this.

How did attackers gain access to Google?  This is quite murky.  The New York Times article states the attack began when an IM was sent to a Google employee in China directing them to a posioned web site.  This is an example of "Spear phishing", or a phishing attack aimed at specific users.  The web page contained a  zero day "drive by" attack.  A "zero day" attack is one unknown by the good guys while a "drive by" attack is code contained in the web page that is downloaded when the page is accessed and executed by the browser.  No action other than hitting the web page is required by the user.

Initially, vulnerabilities in IE and Adobe were blamed, but Adobe reports were retracted. Widespread reports attribute the vulnerability to a weakness in Internet Explorer.  Although later versions are reputed to have the vulnerability, the version of the attack identified by McAffee focussed on IE V6.  Based on a fragment of code identified in the forensic investigation, the attack has become known as Operation Aurora  or the Aurora vulnerability (absolutely no connection with our company). 

The Aurora attack is of a particularly nasty class of attacks that require absolutely no intervention on the part of the targeted user, other than visiting a web site.  The IE V6 version of this attack quickly became part of Metasploit and is available for download.  This particular exploit is simply a piece of Javascript.  Once the script is executed, a remote attacker has the same access as the user.  They can then gain complete control of the target system by using an escallation of privelege exploit which would allow them to insert keyloggers,  password sniffers, modify system software or even run an RDS session and watch what the targeted  victim does. 

An example vidoe of the Aurora attack run through Metasploit
may be found at
PraetorianPrefect.com.

This article from Wired includes an interview with Dmitri Alperovitch, vice president of threat research for McAfee. 
  As he relates, the Aurora exploit downloaded a triple encrypted shell exploit that then downloaded an encrypted binary which then unpacked itself into a couple of other encrypted binariesOne of the malicious programs opened a remote backdoor to the command and control system, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network in order to search for login credentials, intellectual property and whatever else they were seeking.  This was an outbound connection.

One of the files downloaded appears to be the Hydraq trojan.  Among other capabilities, this trojan allows for live video streaming of the target systems console to a remote attacker after two additional files were downloaded and installed.

This was likely an example of a so-called "man in the mailbox" attack since there are also reports that the intruders gained access to personnel information.  Once you have an internal address to work from, others in the corporation are more likely to trust any emails that you send to them.  You might, for example, forge an announcement from HR, package it as a PDF with an exploit, then forge the return address as hr.company.com.  Even if somebody looks at the header and sees somecomputer.company.com, they would have a high likelyhood of opening the attachment.

Many people were quite skeptical that an IE6 attack would have been the primary attack vector against such a state of the art company as Google.  Early reports from McAffee also indicated that a vulnerability in Adobe was also targeted.  These reports were withdrawn, but shortly afterward, Adobe announced a bug fix for a vulnerability identified in December. It appears likely that at least some of the 30 or so companies were attacked by PDF files emailed to specific users, although it is not clear that this was successful.  In addition,
researchers had an operational version of the exploit against IE7 and IE8 by Janual 19, 2010.
  It is quite possible attackers had their own version of this exploit that wasn't released to the public.

It does appear that quite a few quiet updates were made to antivirus and antitrojan software following the attacks.

In any event, once the beachhead was achieved, the attackers were able to gather information that ultimately led them to the systems containing the source code and other intellectual property they were after.

As an aside, a server at Rackspace was compromised and used as an intermediary in the attack.  This was used as a staging system where stolen code was gathered before being sent on to its final destination.

Since the attack has become public, the command and control servers specified in the attack code have disappeared effectively disabling any remaining trojans in the wild.

At the current time, the attacks have been trace back to 2 Chinese shcools, 
Shanghai Jiao Tong University and Lanxiang Vocational School.  Both of these schools have ties to the Chinese search engine Baidu, the Chinese competitor to Google.  In addition, Lanxiang was involved in the Great Firewall project as well as training programs for military IT.

There are a number of features that make this attack stand out from the normal cyberattack.
  1.  This attack was focused on a few individuals.
  2. Multiple levels of encryption were employed in the attack
  3. It appears that specific intellectual property was targeted at multiple companies
These are all aspects of APTs.  In the past, this level of detail and effort was evidenced only in attacks aimed at governement agencies.

The first factor, that it was tightly focussed, indicates that a serious intelligence effort was mounted to identify potentially valuable targets.  This could have involved anything from canvassing Internet discussion groups for promising targets to acquiring internal company documents such as staff listings or phone/address books, either legitimately if available online, or even bribing an employee.

The second factor is very worisome.  In the past, most attackers have been, to one degree or another, somewhat sloppy.  Exploits are reused and many attacks take a brute force approach.  These make it relatively straightforward to identify the situation where you are under attack.  In addition, many attacks are identified because they fail and result in errors that even marginally aware users may identify as out of the ordinary.  This attack was carefully crafted with multiple levels of encryption to avoid discovery.  It is not known what tipped Google off to the attack, but it clearly was under way for some time.  This level of attention to detail is more typical of attacks against government installations.

It is not known what other Intellectual Property was obtained during the course of the attack, but among the 30 or so companies were Adobe Systems, Juniper Networks, Yahoo, Symantec, Northrop Grumman and Dow Chemical and it appears that source code repositories were targeted.