The attack on Google and 30 other companies in late 2009 has
generated a lot of buzz on APTs or Advanced Persistant Threats.
This article covers whats is known about the Google attack and
discusses APTs in general. A future article will cover APT defense.
The Google attack came to light with an article
published on the official Google Blog titled A
New Approach to China.
It is somewhat unusual for a company to admit being the victim of an
attack, but the scale of this attack was so large amd not just limited
to Google that they apparently felt the need to go public. With
few exceptions, the
other 30 or so companies targeted have not been identified.
In the blog post, Google identified the primary goal of the attackers
as accessing accounts of human rights activists in China.
Third party reports, including this article
from Wired, indicate that the goal of the attack was intellectual
property such as source code, financial data, and trade secrets.
Recently an article
in the New York Times reported that the intruders acquired at least
parts of the Google Single Sign-on package, also known as Gaia.
The attackers were able to gain access to the source code control
system. This is particularly worrisome since it might be possible
to insert a trojan into the system, or at the very least, study the
code for weaknesses.
A breach of this magnitude is a security nightmare. Nothing on
the breached system can be trusted (as well as whatever is on any other
systems that have trusted connections with the breached system).
It is quite possible, for example, if you have access to a development
system, to modify the compiler to insert backdoor
code into any or all generated code. The pernicious part about
this, is that it is possible to do this in a way that is nearly
impossible to identify without single stepping through the code
(assuming you have a debugger that has not been modified to ignore the
article has a short description of the technique developed by Ken
Thompson to do just this.
How did attackers gain access to Google? This is quite
murky. The New York Times article states the attack began when an
IM was sent to a Google employee in China directing them to a posioned
web site. This is an example of "Spear phishing", or a phishing
attack aimed at specific users. The web page contained a
zero day "drive by" attack. A "zero day" attack is one unknown by
the good guys while a "drive by" attack is code contained in the web
page that is downloaded when the page is accessed and executed by the
browser. No action other than hitting the web page is required by
Initially, vulnerabilities in IE and Adobe were blamed, but Adobe
reports were retracted. Widespread reports attribute the vulnerability
to a weakness in
Internet Explorer. Although later versions are reputed to have
the vulnerability, the version of the attack identified by McAffee
focussed on IE V6. Based on a fragment of code identified
in the forensic investigation, the attack has become known as Operation
Aurora or the Aurora vulnerability (absolutely no connection with
The Aurora attack is of a particularly nasty class of attacks that
require absolutely no intervention on the part of the targeted user,
other than visiting a web site. The IE V6 version of this attack
quickly became part of Metasploit and is available for download.
script is executed, a remote attacker has the same access as the
user. They can then gain complete control of the target system by
using an escallation of privelege exploit which would allow them to
insert keyloggers, password sniffers, modify system software or
even run an RDS session and watch what the targeted victim
from Wired includes an interview with Dmitri Alperovitch, vice
president of threat research for McAfee. As
he relates, the Aurora exploit downloaded a triple encrypted shell
exploit that then downloaded an encrypted binary which then unpacked
itself into a couple of other encrypted binaries. One
of the malicious programs opened a remote backdoor to the command and
establishing an encrypted covert channel that masqueraded as an SSL
connection to avoid detection. This allowed the attackers ongoing
access to the computer and to use it as a “beachhead” into other parts
of the network in order to search for login credentials,
intellectual property and whatever else they were seeking.
This was an outbound connection.
One of the files downloaded appears to be the Hydraq
trojan. Among other capabilities, this trojan allows for live
video streaming of the target systems console to a remote attacker
after two additional files were downloaded and installed.
This was likely an example of a so-called "man in the mailbox"
attack since there are also reports that the intruders gained
access to personnel information. Once you have an internal
address to work from, others in
the corporation are more likely to trust any emails that you send to
them. You might, for example, forge an announcement from HR,
package it as a PDF with an exploit, then forge the return address as
hr.company.com. Even if somebody looks at the header and sees
somecomputer.company.com, they would have a high likelyhood of opening
Many people were quite skeptical that an IE6
attack would have been the primary attack vector against such a state
of the art company as Google. Early reports from McAffee also
indicated that a vulnerability in Adobe was also targeted. These
reports were withdrawn, but shortly afterward, Adobe announced a bug
fix for a vulnerability identified in December. It appears likely
at least some of the 30 or so companies were attacked by PDF files
emailed to specific users, although it is not clear that this was
successful. In addition, researchers
had an operational version of the exploit against IE7 and IE8 by Janual
19, 2010. It is quite possible attackers
had their own version of this exploit that wasn't released to the
It does appear that quite a few quiet updates were made to antivirus
and antitrojan software following the attacks.
In any event, once the beachhead was achieved, the attackers were able
to gather information that ultimately led them to the systems
containing the source code and other intellectual property they were
As an aside, a server at Rackspace was compromised and used
as an intermediary in the attack. This was used as a staging
system where stolen code was gathered before being sent on to its final
Since the attack has become public, the command and control servers
specified in the attack code have disappeared effectively disabling any
remaining trojans in the wild.
At the current time, the attacks have been trace back to 2 Chinese
shcools, Shanghai Jiao Tong
University and Lanxiang
Both of these schools have ties to the Chinese search engine Baidu,
the Chinese competitor to Google. In addition, Lanxiang
was involved in the Great Firewall project as well as training programs
for military IT.
There are a number of features that make this attack stand
out from the normal cyberattack.
This attack was focused on a few individuals.
Multiple levels of encryption were employed in the
It appears that specific intellectual property was
targeted at multiple companies
These are all aspects of APTs. In the past, this level
of detail and effort was evidenced only in attacks aimed at governement
The first factor, that it was tightly focussed, indicates that a
serious intelligence effort was mounted to identify potentially
valuable targets. This could have involved anything from
canvassing Internet discussion groups for promising targets to
acquiring internal company documents such as staff listings or
phone/address books, either legitimately if available online, or even
bribing an employee.
The second factor is very worisome. In the past, most attackers
have been, to one degree or another, somewhat sloppy. Exploits
are reused and many attacks take a brute force approach. These
make it relatively straightforward to identify the situation where you
are under attack. In addition, many attacks are identified
because they fail and result in errors that even marginally aware users
may identify as out of the ordinary. This attack was carefully
crafted with multiple levels of encryption to avoid discovery. It
is not known what tipped Google off to the attack, but it clearly was
under way for some time. This level of attention to detail is
more typical of attacks against government installations.
It is not known what other Intellectual Property was obtained during
the course of the attack, but among the 30 or so companies were Adobe
Systems, Juniper Networks, Yahoo, Symantec, Northrop Grumman and Dow
Chemical and it appears that source code repositories were targeted.