Aurora hackers said to have accessed law enforcement targets

In January 2010, Google shocked the cyber world by confessing it had been the target of an advanced persistent threat lasting months and mounted by hackers connected to China's People Liberation Army.

"[We] have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists," Google Senior Vice President and Chief Legal Officer David Drummond wrote in blog post at the time.

Now, more that three years after that posting on what came to be known as Operation Aurora, it appears that the cyber marauders were after more than just information on activists. They were also after information on investigations on Chinese spies in the United States being conducted by the FBI and U.S. Department of Justice.

The Aurora hackers gained access on Google's servers to a database that contained information on U.S. surveillance targets, the Washington Post reported on Monday, citing former and current government officials as sources for the story.

Such information would be invaluable to China because it would allow its intelligence operatives to destroy information before counter intelligence agents got their hands on it and allow the spies to evade capture and prosecution.

The database included years of surveillance information, including thousands of court orders issued to law enforcement officials around the nation seeking to monitor suspects' email, as well as classified orders targeting foreign subjects and issued under the Foreign Intelligence Surveillance Act.

The incident set off a tiff between Google, the DOJ and FBI, the Post reported, because the federal agencies wanted to access the company's technical logs and other information about the breach to assess the potential damage done to its counter espionage efforts.

[Also see: Opinion varies on action against Chinese cyberattacks]

Google representative Jay Nancarrow said in an email that the company is not commenting on the matter at this time.

Google wasn't a lone target in Operation Aurora. More than 20 companies were attacked, including Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical.

Last month, a Microsoft executive said that the Aurora bandits had also breached his company's servers snooping for accounts it had lawful wiretap orders on. Since that time, the executive has recanted those remarks.

"I was referring to statements in the media from the January 2010 timeframe," Dave Aucsmith, senior director for Microsoft's Institute for Advanced Technology, said in a statement.

"My comments were not meant to cite any specific Microsoft analysis or findings about motive or attacks, but I recognize that my language was imprecise," he added.

Matt Thomlinson, Microsoft's general manager for trustworthy computing and security added in an email, "The so-called 'Aurora' attacks did not breach the MS network."

The Chinese government has denied being behind Aurora. It has noted that cyber attacks and espionage are against Chinese law and has done all it can to combat such online activities.

While an attack on the database is feasible, because of the breadth of Aurora, it's unlikely it was a specific target, reasoned Jeffrey Carr, CEO of Taia Global and author of "Inside Cyber Warfare: Mapping the Cyber Underworld."

"Google was only one of 20-plus companies attacked at the same time by the same group," he said in an interview. "So I would be surprised if the database was the objective of the attack. It was likely a crime of opportunity."

It's also an object lesson for organizations dealing with cloud storage that's operated by a third party, added Alan Brill, senior managing director for Kroll Advisory Solutions.

"There's more trust being given to cloud services than some of them deserve," he said in an interview. "It has become so easy [to store data somewhere else] that you might store something somewhere without thinking whether or not you really ought to do that."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Department of JusticeapplicationsPeople's Liberation Armylegalsoftwarefbidata protectionChina hackingcybercrimeAuroraData Protection | Malware

More about Adobe SystemsAdobe SystemsCyber WarfareDepartment of JusticeDOJDow Chemical AustraliaFBIGoogleJuniperJuniperKrollMicrosoftMorganMorgan StanleyNorthrop GrummanRackspaceSymantecTechnologyYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place