In January 2010, Google disclosed that it had become a victim of a sophisticated cyberattack originating in China. The attackers targeted Google’s corporate network, which resulted in intellectual property theft and access to Gmail accounts of human rights activists. Besides Google, the attack also targeted over 30 companies in the fintech, media, internet, and chemical sectors.

These attacks were conducted by the Chinese Elderwood Group and later termed by security experts as Operation Aurora. So what actually happened? How was it carried out? And what was the aftermath of Operation Aurora?

What Is Operation Aurora?

Operation Aurora was a series of targeted cyberattacks against dozens of organizations, including Google, Adobe, Yahoo, Symantec, Morgan Stanley, Rackspace, and Dow Chemicals, among others. Google first shared details of the attacks in a blog post which claimed that these were state-sponsored attacks.

Soon after Google’s announcement, more than 30 other firms revealed that the same adversary had breached their corporate networks.

The name of the attacks comes from references in the malware to a folder named "Aurora" found by MacAfee researchers on one of the computers used by the attackers.

How Was the Attack Carried Out?

Visualization of protection from cyber attacks on computer

This cyber-espionage operation was initiated using the spear-phishing technique. Initially, the targeted users received a malicious URL in an email or instant message that initiated a series of events. As the users clicked the URL, it would take them to a website that executed further malicious JavaScript code.

The JavaScript code exploited a vulnerability in Microsoft Internet Explorer that was fairly unknown at the time. Such vulnerabilities are often termed "zero-day exploits."

The zero-day exploit allowed malware to run in Windows and set up a backdoor for the cybercriminals to take control of the system and steal credentials, intellectual property, or whatever else they were seeking.

What Was the Purpose of Operation Aurora?

Illustration of a phishing attack on a laptop screen

Operation Aurora was a highly sophisticated and successful attack. But the real reasons behind the attack remain unclear. When Google disclosed the Aurora bombshell, it stated the following reasons and consequences:

  • Intellectual Property Theft: The attackers targeted the corporate infrastructure, which resulted in intellectual property theft.
  • Cyber Espionage: It also said that the attacks were part of a cyber espionage operation that tried to infiltrate Gmail accounts of Chinese dissidents and human rights activists.

However, a few years later, a senior director of Microsoft’s Institute for Advanced Technology stated that the attacks were actually meant to probe the US government, to check whether it had uncovered the identity of undercover Chinese agents performing their duties in the United States.

Why Did Operation Aurora Get So Much Attention?

Operation Aurora is a widely discussed cyberattack because of the nature of the attacks. Here are a few key points that make it stand out:

  • This was a highly targeted campaign in which the attackers had thorough intelligence on their targets. This might hint at the involvement of a larger organization and even nation-state actors.
  • Cyber incidents happen all the time, but many companies don’t talk about them. For a company as sophisticated as Google, coming out and disclosing it in public is a big deal.
  • Many security experts hold the Chinese government responsible for the attacks. If the rumors are true, then you’ve got a situation in which a government is attacking corporate entities in a manner never exposed before.

The Aftermath of Operation Aurora

Robber stealing data from a computer

Four months after the attacks, Google decided to shut down its operations in China. It ended Google.com.cn and redirected all the traffic to Google.com.hk—a Google version for Hong Kong, since Hong Kong maintains different laws to mainland China.

Google also restructured its approach to mitigate the chances of such incidents happening again. It implemented the zero-trust architecture called BeyondCorp, which has proved to be a good decision.

Many companies needlessly provide elevated access privileges, which allow them to make changes to the network and operate without restrictions. So, if an attacker finds a way onto a system with administrator-level privileges, they can easily misuse those privileges.

The zero-trust model works on the principles of least privilege access and nano-segmentation. It’s a new way of establishing trust in which users can access only those parts of a network that they really need. So, if a user’s credentials are compromised, the attackers can only access the tools and applications available to that particular user.

Later, many more firms started adopting the zero-trust paradigm by regulating access to sensitive tools and applications on their networks. The goal is to verify every user and make it difficult for attackers to cause widespread damage.

Defending Against Operation Aurora and Similar Attacks

cybersecurity logo

The Operation Aurora attacks revealed that even organizations with significant resources like Google, Yahoo, and Adobe can still be victimized. If big IT companies with enormous funding can be hacked, then smaller firms with fewer resources will have a hard time defending against such attacks. However, Operation Aurora also taught us certain important lessons that can help us defend against similar attacks.

Beware of Social Engineering

The attacks highlighted the risk of the human element in cybersecurity. Humans are the primary propagators of attacks and the social engineering nature of clicking unknown links hasn't changed.

To make sure that Aurora-like attacks don't happen again, companies have to get back to the basics of information security. They need to educate employees on safe cybersecurity practices and how they interact with technology.

The nature of the attacks has become so sophisticated that even a seasoned security professional finds it hard to distinguish a good URL from a malicious one.

Use Encryption

VPNs, proxy servers, and multiple layers of encryption can be used to hide malicious communications on a network.

To detect and prevent the communications of compromised computers, all the network connections must be monitored, particularly those going outside the company's network. Identifying abnormal network activity and monitoring the volume of data going out from a PC can be a good way to evaluate its health.

Run Data Execution Prevention

Another way to minimize security threats is by running Data Execution Prevention (DEP) on your computer. DEP is a security feature that prevents unauthorized scripts from running in your computer memory.

You can enable it by going to System and Security > System > Advanced System Settings in Control Panel.

Turning on the DEP feature will make it harder for attackers to carry out Aurora-like attacks.

Aurora and the Way Forward

The world has never been more exposed to the risks of state-sponsored attacks as it is now. Since most companies now rely on a remote workforce, maintaining security is harder than ever.

Fortunately, companies are quickly adopting the zero-trust security approach that works on the principle of trusting no one without continuous verification.