Operation Aurora

In early 2010, the well-known computer and software security company McAfee identified a significant vulnerability in Microsoft’s Internet Explorer as a key vector in what it called “Operation Aurora,” a targeted malware attack. The cyber-attacks that came out of this vulnerability managed to hit Google, as well as over 30 other companies in an extremely high-profile, multi-staged and concentrated effort to hack into specific computer systems in order to obtain intellectual property.

What happened?

McAfee Labs’ investigation revealed that one of the malware samples involved in the Operation Aurora attacks exploited a vulnerability in Microsoft’s Internet Explorer. The attackers were able to access an organization though tailored malware attacks to one or more targeted individuals. These individuals were most likely targeted because of their level of access to valuable intellectual property.

Once they downloaded an installed the malware, it opens a backdoor which enabled the attackers to perform reconnaissance and eventually gain complete control over their systems. At this point, the attack was able to identify high value targets and access more valuable company data.

According to McAfee Labs:

“While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time.”

In response…

In response, Microsoft published a security bulletin and patch to correct the vulnerability. According to Microsoft, the zero-day vulnerability in IE affects versions 6, 7, and 8. However, the majority of attacks in the field have been through IE 6. Since the discovery of Operation Aurora, a number of other copycat attacks have also attempted to exploit the same vulnerability. Microsoft’s critical patch should keep systems safe from Operation Aurora attacks, and any other copycat attacks.

Since Operation Aurora was designed to specifically target IE users, both the French and German governments encouraged web users to switch browsers. The French government’s advisory was concerned that businesses and government departments might be at risk from attacks similar to the ones that were associated with Operation Aurora. Security experts were concerned that changing a company’s default browser as a quick fix response could cause even more problems, as switching browsers might break web-based applications, or cause usability issues.

Who was responsible?

After Operation Aurora surfaced, a barrage of questions came up regarding who was responsible. After the initial internal investigations at Google, the responsibility was placed on China. Continued malware analysis from several independent security researchers also supported this idea. Despite the frenzy to place blame, however, the evidence could not substantiate that it was the Chinese government that condoned or ordered the attacks.

Security researchers dug up some interesting information on Peng Yong, owner of ‘’, a dynamic DNS service that was used by criminals to give malware a location on the web to reach out to, in order to receive additional payloads or instructions. Researchers found that the domain, along with Yong’s and has been linked to the Aurora malware. However, Aurora investigators had not mentioned Yong or the domains his is linked to, other than mentioning that the malware was making calls to them.

Why ‘Aurora’?

Based on McAfee’s analysis, Aurora was part of the filepath on the attacker’s machine that was included in two of the malware binaries that have since been associated with the attack. The filepath is typically inserted by code compilers to indicate where debug symbols and source code are located on the developer’s machine. McAfee believes the name was the internal name given by the attacker(s) to this particular operation.

Operation Aurora is just one of many recent highly customized attacks referred as advanced persistent threats (APT).


In early 2010, McAfee Labs revealed information on Operation Aurora, which involved high-profile attacks on Google and at least 30 other companies around the world. The malware samples involved in the Operation Aurora attacks exploited a vulnerability in Microsoft’s Internet Explorer. The attackers were able to access an organization though tailored malware attacks to one or more targeted individuals.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Unplanned Data Disclosure (I.B.g.)
  • Security Safeguards (I.G.e.)
  • Privacy Concerns – System Monitoring (II.A.l.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>