In 2009, around December, something unusual was witnessed on Google network platforms. Google is a popular platform that is used by the public, especially in accessing the internet. Ordinarily, Google has a security department that contains experts who have professionalized in the checking of possible intrusions and other unusual events happening on their systems. However, despite Google having such a strong network of security, hackers still managed to surpass it and got access to their network. After Google noticed this intrusion, they decided to take the necessary actions to mitigate the problem. Early the following year, Google decided to launch a blog informing the public about the incident. According to their outlook, the attack seemed devastating than any of the other intrusions ever experienced. This means that the attackers had used malware that could neither be detected by Google's antivirus programs nor software, a factor that forced McAfee to intervene in handling and performing extended investigations about the attack. Immediately after Google’s blog post was released, another attack followed, and this time, it came from Adobe, a platform used for PDF reading and Photoshop. This company also reported the same case of being subject to a hacking attack in the same period. With such information, it was now clear that these hackers had also attacked other companies such as Yahoo, Jupiter networks, and Microsoft.
After extensive investigations had been undertaken regarding the attack, certain information about how the entire event took place emerged. McAfee conducted research through a reverse engineering malware only to find that the institution responsible for the execution of these attacks was Aurora ( Chhetri, Canedo & Faruque, 2018). Depending on the situation and the folders found in the malware, McAfee decided to name this incidence, Operation Aurora.
Delegate your assignment to our experts and they will do the rest.
Attack and Victim’s Info
Pieces of evidence coming from trusted sources that assessed the malware signatures, domain names, and IP names drew to a conclusion board that the team responsible for conducting aurora operation was Elder wood. Elder wood, which was believed to be the primary suspect of the attack under operation Aurora, obtained their identification and naming after another incident of attack which these hackers used as a source code variable. This team managed to gain entry into Google’s source code platform and also managed to obtain certain information concerning Chinese activists.
Elder wood has professionalized in making infiltrations and intrusions, especially on organizations that are popular for coming up with the mechanical and electronic structures for the highly ranked defense companies. These institutions then become the initial controller for breaking through and gaining entry to the top defense companies. Among their attacking strategies include infecting legitimate websites that are often used by staff in the target institution. This means that Elder wood facilitates their attacks through the assistance of malware, which automatically processes itself into a download after the viewer has immediately clicked on the website. In the next step, the group now gains full access to the infected computer to obtain essential data about the specific company such as product design, company plans, and executive emails.
Vulnerabilities Extracted
Reports coming from McAfee suggested that the intruders implemented zero-day exploitation vulnerabilities, which could be less realized and recognized by the system developers such as internet explorer. Surprisingly, a week later, after McAfee had announced their findings, Microsoft came up with a solution that would fix the problem. They further admitted that they had been aware of the security inconvenience for some time. Other aspects of vulnerabilities could be derived from perforce. Normally, Google uses this tool in managing and revising their source code.
Method Used by the Hacker to Conduct the Attack
The first approach that these hackers used was the identification of their target. This means they select an employee associated with the specific company. The situation becomes even better when they encounter a developer. After identifying this person, they would then conduct a background assessment to explore any information concerning the kinds of people they interact with and other critical data found on their emails. Then these hackers would send an email to the identified people. More often than not, the email appears clever since the hackers have full information about the victim, and this makes it easier for them to generate some emails that display complete resemblances to their frequent mails. This means that those victims receiving emails from the hackers will perceive them as important as those coming from their fellow workers.
These emails are distributed to the victims in a professional approach such that even the security personnel cannot suspect or detect anything. After clicking on the link, the victim is automatically redirected to a website that contains malware (Niu et al., 2016). Even though patching of the internet explorer does not appear to be a big deal, it is the primary trigger of the whole setup. While the malware was not initially recognized by Microsoft, the patching activity was still able to occur through the assistance of zero-day exploit. On most occasions, it is referred to as the zero-day since it reveals those days that Microsoft had realized the exploitation. The notion that Microsoft fails to realize this, creates the ease of exploitation. As a result, when the victims interact with the infected website, some commands become executed from their computer.
The intention of distributing such commands to the victim’s computer is for them to allow and run a download program. This catalyzes the situation into a worsening state since the program in progress in Trojan. The Trojan surpasses the installed antivirus software and manages to cause infection to the patched version of windows fully. This means that Trojan created a platform that operated under the hackers’ instructions to take charge of the victim's computer. Such an activity happens within seconds since all the setup is made to resemble ordinary web traffic.
The intrusion appears sophisticated because of the reports about Google being attacked frequently. However, the most surprising part is that most people conducting such hacks are only using typical approaches to exploit. For instance, some of these approaches can be understood by accessing a blog or watching YouTube. The Google intrusion contained multiple exploits that had not yet been expected. Hence, there was a possibility that these hackers had enough finances to purchase the zero-day exploits or either way had a well-trained team that knew how to establish such resources. Most of the techniques applied by these hackers were not new. There is no doubt that the government has encountered multiple experiences that are nearly related to such incidents. However, most commercial institutions have rarely experienced such a sophisticated dilemma; therefore, this attack has created a threat in commercial scope.
How the Attack has Been Detected and Identified
While it could be challenging to figure out the people involved in the intrusion, certain information obtained after the investigation proved china as the primary suspect. The attack was believed to originate from two schools in china as the checksum algorithm used in the attack was only based in this country. Security analysts from crowd strike, Dell secure works, and Symantec performed further investigations on this attack and realized that the same code displaying the initials Elder wood repeatedly appeared during the operation (Pipyros et al., 2018). That is how it obtained its identity.
The consequence of the Attack
The hackers managed to access two sections of the company’s information. They initially found the opportunity to gain entry to Gmail accounts. Their target was specific as they were more interested in accessing the emails of human rights activists, especially the ones that were linked to the Chinese. The main intention of the attacker was to investigate all the plans that were happening around the Chinese human rights movement. Surprisingly, the accounts that hackers were trying to reach seemed to have connections with court orders. Coincidentally, law enforcement in the United States had previously requested similar access to the same information.
The second target by the hackers was directed towards Google source codes. As Google kept most of their source codes in a platform called perforce, during the investigation of this attack, they noticed brutal issues within the perforce. Perforce was reported to exhibit the following challenges; any random individual had the opportunity of creating a user account. Similarly, the admin became useless as communication, and passwords became unencrypted. Other companies also complained of similar attacks, despite not issuing out clear information about what was accessed, it seems the attackers had the same intent of gaining entry into their source codes.
Conclusion
Ever since the occurrence of this intrusion, Google and other institutions have made critical efforts to adjust their defense system since they are aware that such attacks could even be witnessed in other business organizations (Yadav, Verma & Solanki, 2019). The institute of communitarian policy studies has urged China and the US to engage in a legal agreement concerning cyberspace restraint, an approach that would prevent repeated incidences in the future.
References
Chhetri, S. R., Canedo, A., & Faruque, M. A. A. (2018). Confidentiality breach through acoustic side-channel in cyber-physical additive manufacturing systems. ACM Transactions on Cyber-Physical Systems , 2 (1), 3.
Niu, W., Zhan, X., Li, K., Yang, G., & Chen, R. (2016, November). Modeling attack process of advanced persistent threat. In International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage (pp. 383-391). Springer, Cham.
Pipyros, K., Thraskias, C., Mitrou, L., Gritzalis, D., & Apostolopoulos, T. (2018). A new strategy for improving cyber-attacks evaluation in the context of Tallinn Manual. Computers & Security , 74 , 371-383.
Yadav, R., Verma, R. N., & Solanki, A. K. (2019). Defense-in-Depth Approach for Early Detection of High-Potential Advanced Persistent Attacks. In Soft Computing: Theories and Applications (pp. 205-216). Springer, Singapore.
