For many years, it almost seemed like the industrial sector got a free pass when it came to cybersecurity. The machines that existed in operational technology (OT) were complicated and specialized, and many held little value to hackers looking to steal data or credit card numbers. Besides, most industrial machines were “air-gapped” anyway, kept so far away from the public internet that they were all but inaccessible to outside attackers. Or so the story went.
Then, in 2010, Stuxnet proved that cyberattacks could have a real-world impact on industrial systems. Around that same time — about 12 years ago this month — another industrial control system (ICS)-focused attack came to light called Operation Aurora. This was an advanced persistent threat (APT) cyberattack on dozens of high-tech, security and defense companies that helped solidify the new era of cyber threat.
Stuxnet and Operation Aurora, followed quickly by malware like Night Dragon, Duqu and Shamoon, highlighted that industrial control systems were now squarely on the map for threat actors, and that industrial security was the next major battlefield for everyone from nation-state actors to individual hackers looking to sow chaos or make a quick (crypto) buck.
Operation Aurora changes the threat model
If Operation Aurora comes up these days, it’s likely in relation to hackers successfully hitting the holy grail, Google, because the tech giant was the first company to publicly confirm that they were a victim. But this series of cyberattacks — initially believed to be designed to steal trade secrets and source code — impacted 30-plus public and private companies, including Adobe Systems, Yahoo, Symantec, Northrup Grumman and Dow Chemical. The sheer scale and scope of the attack caused Google to review its policies in China and elicited a response from then-Secretary of State Hillary Clinton, who requested China account for their part in the brazen strike.
“We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” said Dmitri Alperovitch, vice president of threat research for McAfee, when disclosing the attack. “It’s totally changing the threat model.”
The attacks began in late 2009 and lasted through the end of that year, but they were first disclosed by Google on Jan. 12, 2010. Google also took the extra step of attributing the attacks to China, something many other companies were reluctant to do because of the impacts it could have on their business with the powerful nation. According to Google’s announcement, this “highly sophisticated” intrusion stole the company’s intellectual property and sought access to Gmail accounts of Chinese human rights activists.
The attacks primarily targeted companies in the technology, defense and financial sectors, and they were likely timed to occur during the holiday season, when companies and defense teams were lightly staffed. In their report on the attacks, McAfee named the cyberattacks Operation Aurora because they claimed this was the name the hackers used for the mission.
According to a Wired article, the name “comes from references in the malware to the name of a file folder named ‘Aurora’ that was on the computer of one of the attackers.”
How was Operation Aurora carried out?
The Operation Aurora hackers were looking for elevated access to gain control of computer systems. They were ultimately able to exploit a zero-day vulnerability in Microsoft Internet Explorer to insert nearly a dozen pieces of malware. They then used multiple layers of encryption to ensure that every level of the attack was covered up.
“The encryption was highly successful in obfuscating the attack and avoiding common detection methods,” Alperovitch said. “We haven’t seen encryption at this level. It was highly sophisticated.”
According to Wired, the attackers initially gained access when company employees visited a malicious website. Once on the site, their Explorer browser stealthily downloaded the different malware.
Technical evidence — including IP addresses, domain names and malware signatures — show the Elderwood Group, sometimes knows as the Beijing Group, was behind the attack. Elderwood typically targets second-tier defense industry suppliers that make electronic or mechanical components for top defense companies.
The aftermath of the attack
The sophistication of this attack was eye-opening and helped usher in a new era of industrial threat. But what was the purpose of the attacks? That has been debated in the years since.
Many assumed it was simply to steal valuable intellectual property; others said it was a Chinese attempt to spy on human rights activists. But according to a 2013 article in CIO, a publication for enterprise CIOs, Dave Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, believed some of the hackers were “running a counter-intelligence operation probing whether the U.S. government had uncovered the identity of clandestine agents operating in the United States.”
Whatever the motivation, these cyberattacks caught the attention of the world, with governments in Germany, Australia and France quickly issuing public warnings to stay away from Internet Explorer. These strikes also showed that nation-state level attacks were no longer solely the domain of the defense industry or critical infrastructure. Advanced hackers were now coming after everyone, and companies needed to be prepared to defend against them. This new environment would require cooperation from all levels of the organization, from the CISO to the information technology (IT) team to the OT engineers.
In October of 2022, Google even released a six-episode YouTube series documenting the events of Operation Aurora. Clearly, they’re still trying to prove they’ve taken the appropriate measures to ensure another Operation Aurora never hits them again.