[Infowarrior] - Google Hack Was Ultra Sophisticated, New Details

[Richard Forno]

Threat Level Privacy, Crime and Security Online
Google Hack Attack Was Ultra Sophisticated, New Details Show
	• By Kim Zetter
	• January 14, 2010  |
	• 8:01 pm  |

http://www.wired.com/threatlevel/2010/01/operation-aurora/
Hackers seeking source code from Google, Adobe and dozens of other  
high-profile companies used unprecedented tactics that combined  
encryption, stealth programming and an unknown hole in Internet  
Explorer, according to new details released by researchers at anti- 
virus firm McAfee.

“We have never ever, outside of the defense industry, seen commercial  
industrial companies come under that level of sophisticated attack,”  
says Dmitri Alperovitch, vice president of threat research for McAfee.  
“It’s totally changing the threat model.”

In the wake of Threat Level’s story disclosing that a zero-day  
vulnerability in Internet Explorer was exploited by the hackers to  
gain access to Google and other companies, Microsoft has published an  
advisory about the flaw that it already had in the works. McAfee has  
also added protection to its products to detect the malware that was  
used in the attacks and has now gone public with a number of new  
details about the hacks.

Google announced Tuesday that it had been the target of a “highly  
sophisticated” and coordinated hack attack against its corporate  
network. It said the hackers had stolen intellectual property and  
sought access to the Gmail accounts of human rights activists. The  
attack had originated from China, the company said.

Minutes later, Adobe acknowledged in a blog post that it discovered  
Jan. 2 that it also had been the target of a “sophisticated,  
coordinated attack against corporate network systems managed by Adobe  
and other companies.”

Neither Google nor Adobe provided details about how the hacks occurred.

The hack attacks, which are said to have targeted at least 34  
companies in the technology, financial and defense sectors, have been  
dubbed “Operation Aurora” by McAfee due to the belief that this is the  
name the hackers used for their mission.

The name comes from references in the malware to the name of a file  
folder named “Aurora” that was on the computer of one of the  
attackers. McAfee researchers say when the hacker compiled the source  
code for the malware into an executable file, the compiler injected  
the name of the directory on the attacker’s machine where he worked on  
the source code.

According to Alperovitch, the attackers used nearly a dozen pieces of  
malware and several levels of encryption to burrow deeply into the  
bowels of company networks and obscure their activity.

“The encryption was highly successful in obfuscating the attack and  
avoiding common detection methods,” he said. “We haven’t seen  
encryption at this level. It was highly sophisticated.”

Although the initial attack occurred when company employees visited a  
malicious web site, Alperovitch said researchers are still trying to  
determine if this occurred via a URL sent to employees via e-mail or  
instant messaging or some other method, such as Facebook or other  
social networking sites.

Once the user visited the malicious site, their Internet Explorer  
browser was exploited to download an array of malware to their  
computer automatically and transparently. The programs unloaded  
seamlessly and silently onto the system, like Russian nesting dolls,  
flowing one after the other.

“The initial piece of code was shell code encrypted three times and  
that activated the exploit,” Alperovitch said. “Then it executed  
downloads from an external machine that dropped the first piece of  
binary on the host. That download was also encrypted. The encrypted  
binary packed itself into a couple of executables that were also  
encrypted.”

One of the malicious programs opened a remote backdoor to the  
computer, establishing an encrypted covert channel that masqueraded as  
an SSL connection to avoid detection. This allowed the attackers  
ongoing access to the computer and use it as a “beachhead” into other  
parts of the network, Alperovitch said, to search for login  
credentials, intellectual property and whatever else they were seeking.

McAfee obtained copies of malware used in the attack, and “quietly”  
added protection to its products a number of days ago, Alperovitch  
said, after its researchers were first brought in by hacked companies  
to help investigate the breaches.

Although security firm iDefense told Threat Level on Tuesday that the  
Trojan used in some of the attacks was the Trojan.Hydraq, Alperovitch  
says the malware he examined was not previously known by any anti- 
virus vendors.

Once the hackers were in systems, they siphoned off data to command- 
and-control servers in Illinois, Texas and Taiwan. Alperovitch  
wouldn’t identify the systems in the U.S. that were involved in the  
attack, though reports indicate that Rackspace, a hosting firm in  
Texas, was used by the hackers. Rackspace disclosed on its blog this  
week that it inadvertently played “a very small part” in the hack.

The company wrote that “a server at Rackspace was compromised,  
disabled, and we actively assisted in the investigation of the cyber  
attack, fully cooperating with all affected parties.”

Alperovitch wouldn’t say what the attackers might have found once they  
were on company networks, other than to indicate that the high-value  
targets that were hit “were places of important intellectual property.”

iDefense, however, told Threat Level that the attackers were targeting  
source code repositories of many of the companies and succeeded in  
reaching their target in many cases.

Alperovitch says the attacks appeared to have begun Dec. 15, but may  
have started earlier. They appear to have ceased on Jan. 4, when  
command-and-control servers that were being used to communicate with  
the malware and siphon data shut down.

“We don’t know if the attackers shut them down, or if some other  
organizations were able to shut them down,” he said. “But the attacks  
stopped from that point.”

Google announced on Tuesday that it discovered in mid-December that it  
had been breached. Adobe disclosed that it discovered its breach on  
Jan. 2.

Aperovitch says the attack was well-timed to occur during the holiday  
season when company operation centers and response teams would be  
thinly staffed.

The sophistication of the attack was remarkable and was something that  
researchers have seen before in attacks on the defense industry, but  
never in the commercial sector. Generally, Alperovitch said, in  
attacks on commercial entities, the focus is on obtaining financial  
data, and the attackers typically use common methods for breaching the  
network, such as SQL-injection attacks through a company’s web site or  
through unsecured wireless networks.

“Cyber criminals are good . . . but they cut corners. They don’t spend  
a lot of time tweaking things and making sure that every aspect of the  
attack is obfuscated,” he said.

Alperovitch said that McAfee has more information about the hacks that  
it’s not prepared to disclose at present but hopes to be able to  
discuss them in the future. Their primary goal, he said, was to get as  
much information public now to allow people to protect themselves.

He said the company has been working with law enforcement and has been  
talking with “all levels of the government” about the issue,  
particularly in the executive branch. He couldn’t say whether there  
were plans by Congress to hold hearings on the matter.