OVERVIEW Operation Aurora was a cyber attack which began in mid-2009 andcontinued through December 2009. The attack was first publicly disclosedby Google on January 12, 2010, in a blog post . In the blog post, Google saidthe attack originated in China. The attacks were both sophisticated and wellresourced and consistent with an advanced persistent threat attack. The attack has been aimed at dozens of other organizations, ofwhich Adobe Systems, Juniper Networks and Rack space have publiclyconfirmed that they were targeted. According to mediareports, Yahoo, Symantec, Northrop Grumman, Morgan Stanley and DowChemical were also among the targets.
CONTD.. The attack was named "Operation Aurora" by Dmitri Alperovitch, VicePresident of Threat Research at cyber security company McAfee. According to McAfee, the primary goal of the attack was to gain access toand potentially modify source code repositories at these high tech, securityand defense contractor companies.
ATTACK ANALYSIS Google stated that some of its intellectual property had been stolen. Itsuggested that the attackers were interested in accessing Gmail accounts ofChinese dissidents. Two days after the attack became public, McAfee reported that the attackershad exploited purported zero-day vulnerabilities (unfixed and previously unknownto the target system developers) in Internet Explorer and dubbed the attack"Operation Aurora“. A week after the report by McAfee, Microsoft issued a fix for the issue, andadmitted that they had known about the security hole used since September
CONTD.. According to a diplomatic cable from the U.S. Embassy in Beijing, a Chinesesource reported that the Chinese Politburo directed the intrusion into Googlescomputer systems. The cable suggested that the attack was part of a coordinatedcampaign executed by "government operatives, public security experts andInternet outlaws recruited by the Chinese government.“ Once a victims system was compromised, a backdoor connection thatmasqueraded as an SSL connection made connections to command andcontrol servers running in Illinois, Texas, and Taiwan, including machines thatwere running under stolen Rackspace customer accounts
RESPONSE AND AFTERMATH The German, Australian, and French governments publicly issuedwarnings to users of Internet Explorer after the attack, advising them to usealternative browsers at least until a fix for the security hole was made.[TheGerman, Australian, and French governments consider all versions ofInternet Explorer vulnerable or potentially vulnerable. In an advisory on January 14, 2010, Microsoft said that attackers targetingGoogle and other U.S. companies used software that exploits a hole inInternet Explorer. The vulnerability affects Internet Explorer versions6, 7, and 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4. In March 2010, Symantec, which was helping investigate the attackfor Google, identified Shaoxing as the source of 21.3% of all (12 billion)malicious emails sent throughout the world.
CONTD..Microsoft admitted that the security hole used had been known to themsince September. Work on an update was prioritized and onThursday, January 21, 2010, Microsoft released a security patch aiming tocounter this weakness, the published exploits based on it and a number ofother privately reported vulnerabilities.On February 19, 2010, a security expert investigating the cyber-attack onGoogle, has claimed that the people behind the attack were also responsiblefor the cyber-attacks made on several Fortune 100 companies in the pastone and a half years.
DETECTION The first step in the detection process would be a request by the agent tothe server requesting permission for the agent to execute a full scan of themachine. The purpose of this scan is to capture all of the changes to that machinesince the previous scan results were processed as part of the normalagent/server interaction that occurs every 24 hours.The Triumfant server would respond within seconds, authorizing the scanand throttling up the agent to complete the scan as rapidly aspossible, collecting all 200,000 plus attributes in under a minute. The resulting scan would captures the state of the machine immediatelyafter infection, providing the raw material for diagnosis so the analyticscould verify the machine is under attack and identify all of the primary andsecondary artifacts of the attack.
DIAGNOSIS The Triumfant server would receive the full scan, recognize that it wasexecuted as a result of suspicious behavior, and immediately compare it tothe adaptive reference model (the unique context built by our patentedanalytics). The result of this comparison would be a set of anomalous files andregistry keys. The fact that the files and keys associated with OperationAurora have random names would guarantee that they would be perceivedas anomalous despite the fact that humans might tend to confuse them withlegitimate Windows services.
CONTD..Further analysis would then be applied to the anomaly set to identifyimportant characteristics and functional impacts. In this case the salientcharacteristics are an anomalous service and a number of anomaloussystem32 files. For Operation Aurora these correlation functions would group all of theanomalous attributes and then perform a risk assessment on this group. Inthis specific case, this analysis would find that the malicious attack iscommunicating over the internet. The data about the attacks would be posted at the console and theTriumfant server would alert the appropriate personnel based on theestablished reporting and alert protocols.
KNOWLEDGE BASE In the case of Operation Aurora, an analyst could save the analysis andbuild a filter specifically about this attack. Once built, the filter could beused to check other endpoint machines (the entire population or specifiedgroups) for infection. This mechanism uses acquired knowledge to address broad attacksbefore they have the chance to spread beyond their initial penetration. These filters are also more resilient than digital signatures because theyuse wildcarding to continue to detect the attack even as it morphs its basicsignature over time to avoid traditional signature based tools.
REMEDIATIONFor Operation Aurora, Triumfant would construct a remediation to addressall of the changes associated with the attack, restoring the altered attributesto their pre-attack condition.This includes the changes Aurora makes to affected machine’sconfiguration settings to either execute or hide itself. The files added to themachine would be deleted, and any files deleted or corrupted would be beremediated . This remediation is built to exactly match the attributes of the anomalousapplication, in this case Operation Aurora, on an attribute by attribute basis.
CONFICKER WORM :PIE CHART SHOWS THE TOP 10 INFECTIONS
SUMMARY Operation Aurora is illustrative of the targeted and well engineeredattacks that characterize the evolving threats businesses and governmentagencies face daily.Based on the available data regarding Operation Aurora, ResolutionManager would have detected the attack, identified changes associated withthe primary and collateral damage done to the affected machines, and usedthat data to build a remediation to address the specific elements of theattack.
SAFE COMPUTING TIPS Your security scanner must be always turned on and up-to-date with the latestsignature. Increase your browser security settings. Do NOT open email from people you don’t know. Think twice and verify beforeclicking a URL or open an attachment. If you are using Adobe PDF Reader, prevent your default browser from automaticallyopening PDF document Check for and install security updates regularly. Be careful with search engine results. Read them carefully and check to ensure thatthe content relates to your subject before clicking the Web site link.