Malicious Life Podcast: Operation Aurora Part 1

In January 2010, Google revealed in its blog that it was attacked. This attack, since known as Operation Aurora, is attributed to China. In this series of episodes, we'll expose the complicated and often turbulent relationship between the world's largest internet company and the world's most populated nation...

ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Malicious Life Podcast: Operation Aurora, Part 1 Transcript

In August of 2009, Meron Sellen, a white hat hacker in Israel, privately reached out to Microsoft to report a vulnerability he’d found in the Internet Explorer browser. It was a severe kind of security flaw, easily exploited by a maliciously-crafted link.

The legitimacy and severity of this vulnerability–marked CVE-2010-0249–was confirmed by Microsoft the month after it was first reported. A patch was only scheduled for half a year later, however, when the company planned to release a full-scale update of Internet Explorer.

It seems like a long time. It didn’t matter. They were already too late.

As early as April 2009, four full months before Sellen’s report, a foreign entity had begun work on an exploit for the 0249 vulnerability. The gravity of what they would achieve with it suggests months of careful analysis, planning and preparations during those months.

It was a fateful day when one Google employee received such a maliciously-crafted link in Microsoft Messenger. Little could that person have anticipated the world-altering consequences of just one…little…Mouse click

Trojan.Hydraq
The attack that began with that mouse click was given a name–Operation Aurora–after a file path called “Aurora” in the malware’s binary. According to McAfee’s Dmitri Alperovich, this may be the name the hackers themselves were using to describe their attack. It’s hardly the kind of scary name that you might associate with the massive events you’ll soon hear about. Maybe it was named after the colors of the Google logo.

But who was that enemy? Google is one of the world’s most well-organized and well-defended companies. You’d have an easier time hacking into a small country. Maybe even the U.S. government, depending on the branch. Something big had to be behind this. The NSA, FBI, Google, Microsoft, McAfee, and other companies and teams all took it upon themselves to investigate.

The security vulnerability discovered by Meron Sellen is of a type we’d call ‘Use After Free’. Use after free exploits are like buffer overflow exploits, in that they’re used to manipulate the process by which a program accesses its stored memory – But they’re more subtle. In buffer overflows, the attacker breaks out of an allocated memory buffer by writing too much data into it. In Use After Free exploits, the attacker looks for a previously freed-up space in memory – and substitutes its content with malicious information.

A good analogy for this technique is a museum heist. Imagine you’re a thief, and you want to steal a precious artifact from a museum. The premises are heavily guarded, and the artifact is locked away every night. The only way to steal it is to do so in the light of day. How can you steal a priceless item when, at any minute, you’re liable to be seen? Maybe you can replace the real artifact with a fake. If you can do so without being spotted, it could take hours, days, months for somebody to realize what’s been done.

The problem Sellen found with Internet Explorer was that under certain conditions, when an object was removed–or freed–from memory, its pointer–the function that told the browser where it was located in memory–didn’t go away. Like a map of a museum. Even after you’ve stolen the precious artifact, and replaced it with the fake, its location still shows up on the map, and so nobody knows anything’s wrong.

The malware in this case used a harmless image file as a decoy, and an event object to do the switcheroo. Just as soon as the image was loaded, it was removed and overwritten. Now the memory space it once took up was free for other use, like uploading malware. In reality, it’s a bit more complicated than that: there’s another step needed to prevent the browser from crashing when the malicious code starts to run – but that’s the basic idea.

The payload, the actual malicious code, was Trojan.Hydraq. After downloading itself to a target computer, Hydraq establishes a connection with a command-and-control server, and this path of communication gives the malware’s owner near-full control over a target computer: to view, edit and create files, gather information useful to digging deeper into the network, and siphon out sensitive proprietary data on corporate servers. All this punch was packed into a single malicious link. That link was sent out to a few, specific targets: individuals identified for who they were, and what they had access to. The link came in emails and instant messages, which appeared to be sent from trusted contacts.

Looking For Clues
And so, when Hydraq was first discovered, investigators were able to search it for clues. Joe Stewart of SecureWorks was one of those who examined the code, and he found a particularly suspect component. It was a cyclic redundancy check, or CRC: an error-detection algorithm for stored and transferred data. CRCs are fairly common – I personally implement lots of them when I was a developer – but Stewart had never seen this particular version before. When he searched the web for other instances of the same CRC, he found a hit: its source code was structurally identical to Hydraq’s, and would give the same output for any input it received.

The interesting part wasn’t the code, though, it was where the code came from. It was first published in a white paper, written in simplified Mandarin. A quick Google search revealed that just about every instance of, or reference to this particular CRC was from a Chinese source. So, in all likelihood, only a Mandarin speaker would even know about this particular CRC algorithm’s existence.

Google, in its blog, claimed the attack originated in China. But the mounting evidence did not implicate anyone in particular. It could’ve been the work of a well-resourced cybercrime ring. A New York Times article published one month after the fact described a meeting of select security experts and NSA personnel, arranged by a U.S. defense contractor. The subject of the discussion was two universities the malware traced back to. It was hard to believe that students could’ve pulled off a major breach into the world’s leading data company, hard to understand why they’d want to.

Who had the resources and ability to breach Google? And who had reason to do it?

China’s Half-Open Window
It’s been a hot summer, hasn’t it? Usually during these months I like to keep a window open, to let in some fresh air. The problem is that so many flies get in that way. Especially when I’m trying to record, they really get on my nerves. Sometimes I get so annoyed with the flies that I just… close the window.

When Deng Xiaoping took over as Chairman of the People’s Republic of China in 1976, following the death of Mao Zedong, he set in motion a fundamental shift in how the country operated. The capitalist reforms that were set in motion then have allowed the country to become the fastest-growing, leading economy of the world today. But they always came with a catch. The legacy of Mao is a nation which quashes free trade and free thought. Nothing goes in or out of the country without the express consent of the Chinese Communist Party. No ideas, no products, no things. Businesses are allowed in or kept out, based on their perceived usefulness to the state. Movies are individually scrutinized, and approved or disapproved based on their perceived appropriateness.

Chairman Xiaoping, who started all this, had an adage which best encapsulates the fundamental conflict of China’s modern reforms. He’d say: “If you open the window for fresh air, you have to expect some flies to blow in.”

You and I may take issue with China’s suppression of basic human freedoms. But that doesn’t make Deng Xiaoping wrong. Free and open societies, for all their benefits, come with baggage. Free discourse allows bandwidth to abhorrent ideas and ideologies. Unrestricted business opens the door to greed and inequality. Free peoples have been known to willingly elect tyrants into positions of power, from time to time, even when doing so hurts their own interests.

The Chinese model, in contrast, prevents the spread of ideas deemed “undesirable”. The government controls the market, which allows them to promote Chinese-owned businesses over foreign ones, and make use of private enterprises as they see fit. A single, unified political party rules the nation, so things get done much more quickly. In the U.S. we lament, sometimes, that Congress can’t get anything done. That’s not even a question in China. China can enact massive infrastructure projects, reforms, and military acts at the drop of a hat, because the arguments are simply not there.

In other words: unlike in the West, China would prefer to keep the window closed than let flies in. What do you think might happen, then, if somebody came in and tried opening that window for them?

Google China
Google.com first came to China in 2000, but it just wasn’t very good. That’s not my personal opinion, it’s theirs. On January 27th, 2006, the company issued a blog post which began, quote:

“Google users in China today struggle with a service that, to be blunt, isn’t very good. Google.com appears to be down around 10% of the time. Even when users can reach it, the website is slow, and sometimes produces results that when clicked on, stall out the user’s browser. Our Google News service is never available; Google Images is accessible only half the time. At Google we work hard to create a great experience for our users, and the level of service we’ve been able to provide in China is not something we’re proud of.”

Baidu, founded in 2000, has always been to China what Google is to you and I. Google had very little presence in the country to this point, and so if you lived in China, there was little reason to look past Baidu.

Both Google and China had reason to keep things that way. China always seeks to grow companies within their borders, rather than allowing foreign ones in. It’s part of the reason why they have a “Chinese Google”, Baidu, a “Chinese Facebook”, We Chat, a “Chinese YouTube”, Youku Tudou, and so on and so on. By keeping out and, essentially, replicating foreign businesses, the Chinese can better control how these influential corporations operate, and promote their own economy at the expense of the global market.

Google, for its part, was founded on the ideal of free and open information sharing. In order to exist in China they knew that, because of government restrictions on free speech, they would have to specially modify their platform to suppress certain information. The informal motto of the company has always been “don’t be evil”. Suppressing human rights abuses, and evidence of corruption and malice within the Chinese ruling class, surely would qualify as, if not itself evil, at least supporting and propagating evil.

But no matter the ideal, Google is a corporation–its function is, ultimately, to make money–and China has a population of 1.3 billion. No business has ever turned down a money-making opportunity of that scale, on moral grounds.

On the 27th of January in 2006, Google announced that it would be opening up a branch in China, and servicing a new, Google.cn platform. You might describe Google.cn as, like, 90% Google. It was to be just like the Google you and I know…but with a few things left out. Gmail, for example, would not be available in China, as well as any other services that the government might one day seek to intrude on and use to their own anti-democratic advantage.

Most importantly, of course, Google.cn had to filter search results according to the government’s wishes. That meant if you were to search for, say, “1989 Tiananmen Square” on Google.cn versus Google.com, you’d receive starkly different results. Company executives knew this would anger many of their supporters. They wrote about the decision:

“Filtering our search results clearly compromises our mission. Failing to offer Google search at all to a fifth of the world’s population, however, does so far more severely.”

Attribution To China
So it seems that Google decided to play by China’s rules, and prevent any stray flies from entering through the half-open window. Still, all clues pointed to the Chinese government as the likely culprit in the hack.

For example, as I mentioned earlier a New York Times report, released one month into the investigation, traced the origins of the Aurora attacks to two universities. The first, Shanghai’s Jiaotong University, is home to one of the world’s most prestigious computer science departments. The second, Lanxiang Vocational School, was founded in 1984 under military guidance, and acts as a feeder for the People’s Liberation Army.

In that piece, the Times reporter interviewed a Jiatong professor:

“I believe there’s two kinds of situations. One is it’s a completely individual act of wrongdoing, done by one or two geek students in the school who are just keen on experimenting with their hacking skills learned from the school, since the sources in the school and network are so limited. Or it could be that one of the university’s I.P. addresses was hijacked by others, which frequently happens.”

Could it be that a few reckless students, or some anonymous third-party, took down the world’s great internet company?

China’s authoritarian government has complete jurisdiction to conduct its affairs, however it chooses, whenever it chooses, through any business or institution within its borders. In the “China vs. Github” episode of Malicious Life, for example, the government leveraged Baidu’s ad placement service as a superweapon, to enact a massive denial of service of Github.com. In this case, they might have used prominent schools with prestigious tech programs as cover. It allows those involved to say “hey, it was probably just some reckless students”.

But it almost certainly wasn’t just some reckless students. “I think it’s impossible for our students to hack Google or other U.S. companies,” said the dean of Lanxiang’s computer science department, “because they are just high school graduates and not at an advanced level. Also, because our school adopts close management, outsiders cannot easily come into our school.” End quote. The evidence supports this view. First, the methods and code used in the Aurora attacks were high-level–the stuff of governments and well-run crime rings. Second, in his investigation, Joe Stewart found components of Hydraq that had creation dates as far back as 2006. If those dates were not listed in error, they’d indicate that the trojan was many years in the making.

Third, the attack had been coordinated to occur during the Christmas holidays, when most U.S. citizens would be off on vacation. Now, it’s true that plenty of young people have hacked big companies before. But if you’ve listened to our show, you’ll know: it’d be hard to find a young hacker with the kind of patience and forethought to time their attack with a holiday break. More likely, then, this was a major attacker using high-ranking technical schools as cover.

There’s another clue, discovered in Google’s logs, that points at the Chinese government. According to The Financial Times, they found that their hacker, while inside their systems, had broken into and attempted to read from two Gmail accounts held by a single person.

In addition to being a world-famous artist, Ai Weiwei is one of China’s most outspoken critics. Starting in November 2005, he wrote incisive material about the government on China’s equivalent of Twitter, Sina Weibo. In May of 2009 Sina Weibo shut down his account, so he moved to Twitter, where he did the same for another four years. At various points during that period he was jailed, harassed by police, a studio of his was demolished, and he’s essentially living in exile today.

In an article for CNN, computer expert Bruce Schneier claimed that the Aurora hackers entered WeiWei’s Gmail through a special backdoor. That backdoor was created by Google, in order to comply with U.S. government warrants for the searching of private data. This targeted intrusion was damning evidence. Ai Weiwei is beloved worldwide. He really only has one enemy.

Google’s Small Rebellions
But it seems unlikely that the Chinese government would orchestrate a cyber attack against one of the world’s largest technology companies just so it could hack into one person’s Gmail account. There had to be some other motive – and it could be that Google’s behaviour provided that motive.

I said earlier that it seems that Google decided to play according to China’s rules. The truth, however, is more complicated. The fundamental conflict between China’s Closed Window policy and Google’s inherent ideals of free and open information sharing never really went away. Fortune magazine described what those years were like for Google.cn, writing:

“A demand would come from a government ministry to take down 10 items; Google would typically take down seven and hope that the compromise resolved the matter. Sometimes after a few days or weeks Google would quietly restore links it had censored. Every five months Google’s policy-review committee in China would meet to make sure it was filtering the minimum it could possibly get away with.”

The perspective of some at Google was that this constant battle, while tedious, was important: that in small acts of rebellion, they were moving the needle, slowly and subtly, towards freedom in China. Others at the company felt more cynical about it. Unfortunately, the cynics were later proven right. Around the time of the 2008 Beijing Olympics, with the eyes of the world descending on them, the Chinese government took a firmer grasp on Google. Tensions that were simmering now rose to a boiling point.

Government agents made a special issue of Google’s “Suggest” feature. You know how you’ll start typing into Google’s search bar, and suggestions for what to type in begin showing up in a drop-down menu? Turns out, that’s an invention of Google.cn. Unlike our 26-character alphabet, Chinese languages contain thousands upon thousands of characters. As a result, Google found their Chinese users would often type significantly shorter search queries than their counterparts elsewhere in the world. So they built Suggest–a staple for all of us today–to allow for quicker and more robust Chinese-language queries.

One consequence of Suggest, however, is that an indifferent algorithm determines what shows up in your results. Officials from the Chinese government believed that searches would too often return sexual or otherwise lewd suggestions. In one remarkable instance, officials summoned Google China’s highest executives to a hotel, where they’d set up a laptop and projector. From Fortune:

“Once everyone was seated, the show began. The Chinese went to Google.cn and typed in a vulgar term for breasts. Google Suggest offered links that displayed raw nudity, and more. The official typed in the word meaning “son,” and one of the Google Suggest terms was “love affair between son and mother.” The links to this term yielded explicit pornography. The woman serving tea in the conference room almost fainted at the spectacle.”

For a country that bans all forms of pornography, that values its tight grip over information, this would not stand. After months of conflict, they decided enough was enough.

The officials at the meeting warned: this time there would be consequences. It could be that Operation Aurora was a consequence of Google’s small acts of rebellion.

But that’s just part of the picture. On January 12th, 2010, a few hours after Google disclosed the hack on its blog – no less than 35 major US companies announced that they, too, were targeted by Operation Aurora. The Chinese, it seems, were after much more than just swatting the flies that came in through their open window.

In the next episode of Malicious Life, we’ll learn about the other victims of Operation Aurora, and how the hackers exploited poorly secured source code management systems to steal vast amounts of critical information from so many companies. We’ll learn about the Chinese official who is said to have initiated the attack after googling his own name – and Baidu’s potential involvement in the affair. All this and more, next time on Malicious Life.