Flaws In The 'Aurora' Attacks
Security experts say targeted attacks could have been much worse, point out strategic errors made by the attackers
January 25, 2010
The attackers who unleashed the recent wave of targeted attacks against Google, Adobe, and other companies, making off with valuable intellectual property and source code, shocking the private sector into the reality of the potential threat of state-sponsored cyberespionage -- but they also made a few missteps along the way that might have prevented far worse damage.
Security experts say while the attacks indeed were potent in their outcome, they were discovered relatively quickly by Google, and the malware used to attack Google, Adobe, and other as-yet unnamed companies wasn't especially sophisticated nor unique other than the fact that it was a zero-day exploit. The attacks -- which Google says came out of China -- had been under way for, on average, nearly a month, and Google found them out in mid-December.
Chinese officials yesterday told the state-run Xinhua news agency that the government was not involved in the attacks.
Microsoft last week issued an emergency patch intended to protect Internet Explorer (IE) from the now infamous IE exploit code that was used to infect the front-line victims of the attacks at Google, Adobe, and some of the other targeted firms. Now that the exploit has seen the light of day and has been duplicated in other in-the-wild attacks since, researchers have reverse-engineered it for clues about the attackers and their intentions.
Joe Stewart, director of malware research for Secureworks and the person who discovered some Chinese-language ties to the code, says the so-called "Aurora" code has similar characteristics with other malware. "It's not incredibly sophisticated," Stewart says. "They do put in encryption ... and wrote an actual protocol to send binary [commands]. But that's something we've seen a before in a lot of malware. Still, it's not something amateurs would do."
The attack vector -- using a social engineering phishing message to lure the victims -- wasn't anything new, either. What impressed security researchers who've studied the code was the outcome of the attacks, not the malware.
"The sophistication of the Aurora attacks is less about the malware and zero-day used, and more about the coordinated effort to target and pilfer from an estimated 33 companies in a short period of time," says Marc Maiffret, chief security architect for FireEye. "The exploit is subpar on many levels as it relates to weaponized exploits, and the malware is also of less sophistication than we have seen with even standard botnet. The fact is, these attacks show what is commonplace and already happening every day to businesses relying on legacy AV and IPS technologies."
How the attackers gathered intelligence on the victim companies is still unclear, but sources with knowledge of the events say the attackers gathered the appropriate names and email addresses thanks to "good intelligence" that they were able to use. "The state sponsorship may not be financial, but it is backed with intelligence," one source said in an earlier interview. "What we're seeing is a blending of intelligence work plus malicious cyberattacks."
One theory is that they merely did their own research via the public Web, which can be employed by anyone doing reconnaissance. Another theory is they could have had access to, or compromised, a high-level router that handles traffic to and from Google in China, according to the source.
Maiffret and other security experts say what's most striking is how the attackers were able to hit so many companies at once, and that it appears they were successful in stealing what they were after. "That was definitely sophisticated in itself," Maiffret says.
But there was a downside of waging these attacks en masse -- it was also fairly conspicuous. Google has said publicly that at least 20 companies from a range of industries, including Internet, finance, technology, media, and chemical, were among the casualties, but security sources say it could be up to around 30.
"What was uncommon here was that they hit all of these companies at once. Frankly, that was not particularly clever. That upped their rate of being caught," says Al Huger, vice president of engineering at Immunet. "That's a hallmark of somebody not really knowing what they were doing."
Huger says that doesn't necessarily mean the attacks were not state-sponsored, however. "But whoever did it made some egregious mistakes," he says.
Another big misstep was that the attackers apparently sent the stolen data back to one server location, he says. "All it took was Google to track that server and it could tell who else was compromised" as well, he says. "That's pretty bush league."
Even so, these shortcuts may have been irrelevant to the attackers if they were satisfied with the intellectual property they did score, experts say.
And while the focus thus far publicly has been on the infected client machines, the details are still emerging on how exactly the attackers got the intellectual property from the victims -- and Google and Adobe aren't talking about that publicly. Several scenarios are possible, including the attackers grabbing the infected machine's user credentials, and from there diving deeper into Google and the others, or the attackers used additional exploits to tunnel their way inside, or a combination of the two approaches.
Still, many of the details of the attack may never come to light. Google hasn't elaborated on its initial revelation about the attacks, and since it appears the attackers were mostly after intellectual property, if the other 20- to 30-something companies didn't have customer data exposed in the attacks, they won't necessarily have to step into the spotlight and admit they were attacked, experts say.
Meanwhile, researchers today said that they have spotted the IE Aurora exploit code running on at least one Chinese government Website, adding fuel to speculation about Chinese government backing of the attacks on Google, Adobe, and the other companies. And experts say this is yet another indication that Chinese users may be even more vulnerable to this particular exploit now that it's in the wild than users in the U.S. are.
"The question is, is it CN Government sponsored for the purposes of potentially spying on its citizens, or have GOV.CN websites been infiltrated by hackers?" blogged Zscaler researchers today.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like