

Google Hack Attack Was Ultra Sophisticated, New Details Show - yan
http://www.wired.com/threatlevel/2010/01/operation-aurora/

======
est
Another aspect perhaps most of people ignored is:

Chinese government has _all the source code_ of Windows systems:

<http://news.cnet.com/2100-1016_3-5083458.html>

Including:

Windows Vista, Windows XP, Windows Server 2003, windows 2000, Windows CE
6.0/5.0/4.2(PSK), Microsoft Office Pro 2003, Microsoft Office Systems

It's reviewed by top three Chinese universities and other three government
agencies.

The Party is the new overload of 0day farmer.

~~~
BrentRitterbeck
Yeah, North Korea, Iran, and Afghanistan also have all of the source code of
Linux. What is your point?

~~~
jbooth
Linux security assumes source code visibility, Windows doesn't?

~~~
joe_the_user
Yes, Windows' closed-source nature has allowed MS to rely on _security-though-
obscurity_. Now that one of the entities MS has taken _behind it's golden
screen_ has turned out to be a black hat, MS' approach is looking foolish.

~~~
awa
Microsoft does gives out source code for some of its software (including parts
of windows) to various universities for research purposes. Ofcourse, there are
NDAs involved but that shows they aren't shy to share the code in certain.
situations.

------
ra
I find the fact that the targets were source code repos very interesting.

If you are a super-smart black-hat villain who wants to plan a mass global
attack, what better place to start than with Google and Adobe's source code?

~~~
tfh
_> what better place to start than with Google and Adobe's source code?_

I wonder if Microsoft was targeted too.

~~~
jimbokun
What's the point, when the Chinese government already has all their source
code?

~~~
nfnaaron
Ah, I guess that's why most of my router scans come from China: it's worth it.

------
lt
I find the fact that Adobe got hacked by a pdf vulnerability kinda funny.

~~~
sp332
Specifically, a 0-day exploit in the Adobe Reader software which Adobe knew
about and refused to fix for months (since it would break their upgrade
schedule).

~~~
lt
They're denying it though, blaming it on IE only:

[http://blogs.adobe.com/conversations/2010/01/no_evidence_to_...](http://blogs.adobe.com/conversations/2010/01/no_evidence_to_suggest_adobe_t.html)

~~~
abscondment
It's not just _them_ denying it, but McAffee as well:
[http://siblog.mcafee.com/cto/operation-“aurora”-hit-
google-o...](http://siblog.mcafee.com/cto/operation-“aurora”-hit-google-
others/)

------
jcl
My thought while reading this: "There's someone at Google running IE?"

~~~
clistctrl
I imagine most of the staff. Google makes sure all of their software works in
most of the popular browsers.

~~~
jcl
Well, sure. But as I understand it, most people at Google are running Linux on
their desktops. I'd expect most browser testing to be taking place in VMs or
on separate boxes, and under test accounts -- which would have made the level
of infiltration described in the article more difficult.

~~~
marltod
Companies like Google try to make their employees happy. If someone prefers
Windows XP they are aloud to use it.

~~~
ramchip
They have to yell to get XP?

------
spoiledtechie
In other news, I was just sent an Email by Bank of America...

Said my card was compromised, I called in and they said their systems were
hacked and he gave the name and location of the system...

You might not know it, but sounds like BoA was compromised as well.

~~~
jordyhoyt
I think that's just a coincidence. I received a similar notification about a
year ago. I think they just get hacked from time to time.

~~~
noelchurchill
Confidence inspiring.

------
mootothemax
I take this claim with a pinch of salt. It's a neat idea: exploit IE to
install a sniffer that picks up Gmail passwords etc. on the local network, but
the only "ultra sophisticated" bit of this I can tell is that the hackers did
a really good job of covering their tracks.

The article mentions that your average cybercriminal is lazy, and I can
believe that - you're only going to put as much time in to an attack that
you're going to get out in financial reward. But if a commercial hack was
going to bring about the same financial-level of reward, I bet the
cybercriminals wouldn't be sloppy.

~~~
sophacles
I had a similar train of thought, but in a slightly causality ordering:

Places like google have a high potential for a high payout, and they know it.
Therefore the cybersecurity is higher, requiring a better caliber of criminal.

~~~
rquirk
"Although the initial attack occurred when company employees visited a
malicious web site, Alperovitch said researchers are still trying to determine
if this occurred via a URL sent to employees via e-mail or instant messaging
or some other method, such as Facebook or other social networking sites."

It still needed an employee to make the usual "install the dancing pigs"-style
gaff while using IE6.

Also: Employees using IE6, inside Google, in 2010. Why weren't they using
Chrome?

~~~
jsankey
_Also: Employees using IE6, inside Google, in 2010. Why weren't they using
Chrome?_

I guess they were testing something in IE6. Perhaps one of their own sites.
Perhaps how some other site renders in it compared to Chrome. Who knows.

~~~
jauco
That'd be brilliant! Send a bug report that your site renders incorrectly in
chrome but correctly in IE6. That's an almost guaranteed hit with a known
browser!

------
misdirection
So in other words, I can launch an attack against any number of companies and
organizations, and as long as I attack human rights activists accounts,
everyone will blame the Chinese government?

What do you even call that kind of disinformation? False flag doesn't seem to
cut it.

~~~
brown9-2
Well this part of it also helps:

 _The attack had originated from China, the company said._

~~~
misdirection
Wow, that narrows it down to 33% of the world's population.

~~~
ryanwaggoner
More like 19%, but yeah...

------
gregcmartin
This was ultra sophisticated, they used several layers of multi-encrypted
malware to tunnel out and create reverse control channels. Not to mention used
a 0day IE bug to install the malware in various targeted companies. This was
gov sponsered...

~~~
sern
And a team from the People's Liberation Army's signals intelligence branch
will find themselves in jail soon for embarrassing the government...

~~~
riobard
You must be kidding. They are precious properties of the government and well
protected and paid.

------
anApple
I guess we will be seing baiduu news, baiduu image search, bmail, bdrive
sometime soon! :-)

~~~
swolchok
I'd say it's a safe bet that stealing Google's source code wouldn't help much
with replicating their datacenter infrastructure.

~~~
coderdude
Baidu already uses Hadoop's HDFS and MapReduce. They also support Hypertable.
I would guess that they could probably put "something" together over time.

~~~
swolchok
HDFS and MapReduce have nothing to do with building and maintaining
datacenters.

------
starev
What I wonder about is what do they mean by "stealth programming"? I can think
of just programming with white text on a white background, but that wouldn't
serve any security related purpose.

From reading that, it's clear that the shellcode was obfuscated ('encrypting'
it three times, though, would be unnecessary _), but that's just a good way to
muddle things up. Although from reading that it's obvious that it was a
sophisticated attack in this day and age of cybercriminals who go for the
easiest target available, nothing mentioned there hasn't been possible for
almost any buffer overflow attack. Code obfuscation has been used for years
for copy protection and to prevent static reverse engineering in general, and
although nonstandard in exploitation, by no means unheard of. In my opinion a
more impressive exploit would be one which used all printable ascii (which
also is possible).

On a side note, some of the terms used are either misused or just wrong:
although the payload may have been obfuscated, 'encryption' at least to me
implies separate key/decryption schemes, which don't really work well from a
shellcode point of view. You'd be better off using a static 'encryption'
scheme like ROT13, but that seems more like obfuscation in this day and age,
particularly since the code to deobfuscate it would have to be built in.

TL;DR: I think they throw around 'encryption' in places where it doesn't make
sense to use it because it makes it sound scary, and it doesn't seem like any
of the techniques used were 'new' or somehow more sophisticated then what was
previously possible.

_For simple IDS evasion, at least, so that you aren't throwing up flags: it
could've been done to make forensics much harder.

~~~
brown9-2
This is something I had a hard time understanding and which I thought the
article did a poor job of explaining.

In exploiting a remote system, which part of your attack would benefit from
being encrypted?

~~~
gregcmartin
Ok so they use what's called packers to not only obfuscate the malware code to
bypass signature based A/V but also hide inside other binaries or Dll's to
further evade heuristic defenses. Then a reverse encrypted tunnel for control
of infected machine was routed over normal HTTPS also undetectable by IDS. It
was to dynamic dns domains such as yahoo1.dyndns.org. Reverse meaning it
connects back to the attacker to allow ssh like access to the compromised host
via the trojan.

There are all extremely advanced (but known) evasion steps for a very targeted
attack. It's rare to see all of them successfully used in one attack because
of the complexity and skill required.

------
Slashed
I don't really get the part with Russian nested dolls.

Was it like this?:

For example, there is a code which is encrypted three times. And that crypt-
code by itself is executable which decrypts itself into another executable,
and so on.

If this is true - I'm really impressed.

~~~
onedognight
I'm not impressed with the Russian doll encryption. Like with DRM, you have to
give away the keys to your users. So the analysts had to work a little more
than usual to examine the code. Big deal. There was never a question of _if_
they would be able to analyse it, but just _how long_ it would take. There
must be something else they have not disclosed that is making them take
notice.

~~~
nfnaaron
Maybe the point of triple encryption was to make it less likely for scanners
to find it in a routine scan? The people who did this certainly knew that once
they were found it was over; they were just trying to delay being found a bit.

[Edit: added 2nd sentence.]

------
est
Update from a Chinese anonymous source, credibility unknown

<http://www.brookswelding.com/>

Undercover agents were sent to Google Shanghai Office, cracked Gmail source
code and get away with a 1 million RMB reward

~~~
riobard
link to Google Translate'd in English:

[http://translate.google.com/translate?js=y&prev=_t&h...](http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http%3A%2F%2Fwww.brookswelding.com%2F&sl=zh-
CN&tl=en)

~~~
pyre
_Google, congratulate you on your return to the embrace of mercy of the Lord.
Yes, we are here to congratulate you, rather than mourning. When the sun
finally shining in Jerusalem tomb of your Lengji, we will meet your
resurrection._

Huh?

~~~
Estragon
I've been trying to learn Chinese, and poking around Chinese websites with
peraperakun occasionally. Every time I come across a WTF sentence like that, I
wonder whether maybe I've bitten off more than I can chew.

~~~
riobard
I guess poetic sentences are always hard to get right, if you don't really
grow up in that culture, just like I have a lot of trouble with some essays in
English. Well, if you keep learning, eventually you'll get there :)

------
Prefect
Video of the exploit in action (as integrated into Metasploit):

[http://praetorianprefect.com/archives/2010/01/the-aurora-
ie-...](http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-
in-action/)

------
est
Does anyone have a full list of the 34 companies?

~~~
maukdaddy
Not yet, but you can probably make some educated guesses. What US companies
have technologies that China might be interested in?

-Google -Microsoft -Boeing -Intel -Cisco (imagine the value of their source code) -Apple -Any of the defense contractors etc.

~~~
mpakes
The source for Cisco's IOS has been in rogue hands for quite some time. The
Chinese network equipment manufacturer Huawei was caught selling routers in
the running IOS with only cursory changes back in 2003. Identical CLI,
identical features, identical bugs.

I think we must assume that the source code for most major products is
available on the black market.

------
tofu-cyborg
It seems to me that the word "sophisticated" is being misused here. Rather, I
would say "knowledgeable."

If you, even within your general field (say mathematics), talk to an expert,
he will easily give you arguments that will seem sophisticated to you, and
simple to him. He's spent more time learning, getting familiar with, and
thinking about those arguments, and that's the simple reason.

Here, the Chinese government is through a nationalistic sentiment endorsing
hacking and education about the same. It is a large country, and many of the
people conducting the attacks were not amateurs, using already established
techniques. They were professionals, I wager, learning, getting familiar with,
and thinking about how to attain their hacking-goals.

An educated person, in any subject, will seem infinitely more sophisticated
than a non-educated one. And I argue that China, more than anybody else,
invests into young men doing just that.

------
joe_the_user
The sophistication and determination of this attack actually makes Google's
actions more plausible.

By walking in and trying to take what it viewed as Google's most valuable
assets, the Chinese state _signaled that Google would never win in China_. The
playing field wasn't just rigged by one or another forms of low-level
favoritism. The state at a fairly high level had decided it was going to
'p0wn' all the competition. So at that point, it was pretty obvious Google had
nothing to lose by leaving China and perhaps even more intellectual property
to lose by staying.

~~~
Raphael_Amiard
i find your argument pretty sound, but i was wondering, is there any
'evidence' that this goes up to chinese state ,except the fact that civil
rights fighters account were targeted ?

------
tfh
I wonder how much smart people / money / hardware / etc you need to start an
attack that sophisticated.

~~~
timdorr
Really not that much. Once you find a good exploit, the payload code is copy
and paste for a lot of it. The payload issue is a solved problem with lots of
available source code and knowledge out there for free.

~~~
mikeytown2
This attack sounds more complicated then your typical metasploit attack
<http://www.metasploit.com/>

------
datums
I'm guessing they're leaving out the "sophisticated" details of the
compromise. Using encryption to hide your malware from virus scanners and
using some computer "social engineering" (ssl connection) is not very
sophisticated. I don't understand why it needs to be sophisticated ? because
it's google ? It's known that some of the largest viruses have spread to
government comuputers (sobig).

~~~
joe_the_user
Perhaps is was custom encryption not previously seen?

I would imagine that while using encryption doesn't imply massive resources,
developing custom encryption does.

~~~
DanielBMarkham
I don't know a lot about security -- certainly not as much as some here
(although I can follow along with their banter easily enough)

But I know enough not to feel comfortable commenting on this in a public
forum.

(Not trying to pass a value judgment on you, just suggesting a reason you guys
might not be getting an answer to your question.)

~~~
mariorz
_> But I know enough not to feel comfortable commenting on this in a public
forum._

why?

~~~
DanielBMarkham
Because it's a lose-lose proposition. If I get it right, I'm helping some
other schmuck break into people's systems. If I get it wrong then I'm the
schmuck.

And yes, people will learn to break into systems without my help, and yes,
openness is the best defense we have against these things. I've just decided
I'm just not going to put anything out there that could possibly be used like
that.

I tell you one of the reasons why: about twelve years ago, back in the Windows
3/95 days, I got a call from some stock brokers in New York. They wanted to
know basically how to spy on their employees.

So I sketched out a system where software would take pictures of their
desktops every few seconds -- this was a long time before such software ever
existed. I also sketched out several ways you could keep the software from
being detected.

I never knew if they wrote the system or what happened to my design, but it
never sat well with me. I always wished I could have went back and not
provided them with the information.

So now I don't do that anymore.

~~~
ErrantX
> I never knew if they wrote the system or what happened to my design, but it
> never sat well with me. I always wished I could have went back and not
> provided them with the information.

This is the least favourite part of my job too. I have a couple of
uncomfortable memories from university days when I ran my mouth about some
little ideas.

------
sgoranson
Their effort to obfuscate their tracks does sound pretty nifty, but part of me
is disappointed that it all depended on the target clicking on something they
shouldn't have. Glorified phishing schemes just don't have the pizazz of a
remote buffer overflow exploit, for example.

~~~
maukdaddy
This kind of attitude has to stop. "Glorified phishing" might not have pizazz,
but it was DAMN effective in this case. Why go to the trouble of finding,
coding, exploiting an increasingly difficult target when end users will do all
the work for you?

This is the kind of scenario that gives security people nightmares. It takes
VERY sophisticated processes and technology to find covert backdoors on your
network, and very few places devote the manpower or $$$ to the effort.

~~~
sgoranson
Effective or not, sending some bad links to a bunch of Google employees and
hoping one of them clicks is not a 'VERY sophisticated process'. It's just a
good example of how users will always be the weakest link in securing a
network.

~~~
barrkel
Opening up a page in a web browser ought to be a safe operation. Letting that
page start a plugin, or running something it downloads, or flat out using IE
for an unknown link, then I'd be more inclined to blame the user.

(This is why I use Foxit for PDF reading, I don't have a PDF plugin enabled in
my browser, PDFs download to disk, and similarly QuickTime, RealPlayer, WMP
etc. plugins are all disabled, with only Flash enabled but controlled via
FlashBlock.)

------
dschobel
Why/How is McAffee involved?

Would a company like Google really outsource the cleanup/forensics of an
attack?

~~~
datums
They were probably one of the first to see the activity across a few machines.

------
rainyday
Why are they routinely using IE6 (or any IE)??? Firefox + NoScript + AV = much
harder. Acrobat is bloatware, there are alternatives. Scripting should not be
allowed in Acrobat by default. Using IE6 with scripting enabled is just asking
for trouble. Ultra sophisticated meets ultra outdated.

------
holdenc
Sorry, this article lacks real detail. Sounds like standard fare -- an IE
vulnerability, malicious emails, "several layers of encryption?" Sorry...not
impressed.

~~~
dschobel
Try reading it again.

 _“The initial piece of code was shell code encrypted three times and that
activated the exploit,” Alperovitch said. “Then it executed downloads from an
external machine that dropped the first piece of binary on the host. That
download was also encrypted. The encrypted binary packed itself into a couple
of executables that were also encrypted.”

One of the malicious programs opened a remote backdoor to the computer,
establishing an encrypted covert channel that masqueraded as an SSL connection
to avoid detection. This allowed the attackers ongoing access to the computer
and to use it as a “beachhead” into other parts of the network, Alperovitch
said, to search for login credentials, intellectual property and whatever else
they were seeking_

