Operation Aurora, Part 2

Google, it turned out, was only one of 35 major US corporations hit in Aurora. Was is an espionage campaign, or could it be that it all began with one top ranking Chinese official who googled his own name - and wasn't happy with the search results?...

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 12 million downloads as of Oct. 2018.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Operation Aurora, Part 2

Google blog, January 12th, 2010.

“Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.”

Hi, I’m Ran Levi and you’re listening to Malicious Life. In our previous episode, we learned how hackers – probably associated with the Chinese government – exploited a zero-day bug in Microsoft’s Internet Explorer browser to infiltrate Google’s internal network via a maliciously crafted link. After establishing the probable attribution of Operation Aurora, we tried to decipher the motive behind the attack. One potential motive were Google’s intentional or unintentional attempts at bypassing the Chinese censorship, which imposed strict limits on the company’s culture of supporting free and open information sharing. But as I hinted at the end of the last episode, this Culture Clash was only part of the picture.

Other Companies Hacked

News that Google was hacked would’ve been enough excitement for one day. But it was another revelation, later in the same blog post, that surprised everyone. Quote:

“These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China.”

The Google.cn project, a major step for the company just a half decade in the making, now looked like it would be scrapped. Why such a harsh and dramatic response? The reason began to unravel only hours after Google’s post went live, when Adobe revealed that they, too, had been breached. Soon came the mudslide. Lockheed Martin, Yahoo, Symantec, Northrop Grumman, Dow Chemical, Morgan Stanley. In total, 35 of America’s largest companies had been linked to the same attack.

So by this point, two things were clear. Number one: this was not just a Google problem. Number two: if this was a big problem before, now it was a big, big, big problem. A large-scale cyber affront had been conducted by a significant power, against elite American corporations, and by all accounts, it succeeded. What those hackers got their hands on was much more than Google had ever let on.

Source Code Management Systems

It’s difficult to quantify just how vital source code is to a digital company. For Google, Yahoo, Adobe, it’s the bedrock for everything.

What’s hard to believe, with this in mind, is how easy it was for Aurora’s hackers to break into the source code databases of these 35 major companies. A McAfee white paper published three months after the attacks did not name which of the 35 companies they investigated. What they found was the widespread use of almost totally unsecured SCMs–source code management systems. In particular, many of the companies–indeed, many of the top 1,000 companies in America–were using the same SCM, provided by a California-based company called Perforce. According to the report, Perforce isn’t necessarily less secure than its competitors. But that’s only because the bar was so low.

The holes in Perforce’s SCM were big and plentiful. Some were, perhaps, understandable. Consider: developers who like to work on their personal computers will often copy shared code, work on it locally, and then paste back their updated version. It’s convenient to do so. You can work from home this way, or from a coffee shop. But giving full access to source code databases to individuals–whose computers may not be subject to the same scrutiny as corporate databases typically are–opens up new attack paths.

Think of it like having a vault full of money, and giving the combination to everyone who works at the bank. Not every teller will protect that information perfectly well, so it’s not smart for them all to have the same, highest-level access to that money. Perforce’s default configuration did not protect against the untrained employee. That meant that, instead of having to break into the heart of all these major American corporations, the Aurora hackers could have achieved the same effect, simply by spear phishing individual employees.

Other holes in the Perforce software are even less easily justified than that. One: any unauthenticated user could create an account without first needing a password. Two: it ran, by default, as a system-level process, lending its users the highest-level root privileges on host systems. Nowhere in the documentation for Perforce for Windows was there any indication that running-as-root might be dangerous. Three: it stored all of its data in cleartext, and communicated all data between endpoints and their servers without encryption. So any packet sniffer, or man in the middle attack would allow a hacker to read highly sensitive data–source code, user activity, login credentials–as easily as they could an article on Yahoo.com. Or they could intercept and modify it in transit.

In total, McAfee identified fourteen major categories of vulnerabilities in Perforce (I could list them all, but your car ride to work is only so long…). With help from even just one or two of these many security holes, Chinese hackers were able to siphon off significant proprietary code from those 35 major companies. We don’t actually know what they took, or what they ended up using it for, but the possibilities are staggering. They could’ve used it to copy what American companies owned, for Chinese companies to use. The military could’ve used state-of-the art technologies taken from companies such as Lockheed Martin and Northrop Grumman. Stolen software could’ve been examined to determine previously unknown zero-day vulnerabilities, useful in targeting end users of such products in the future.

And on top of simply taking it, the hackers also could have, in theory, modified existing code in order to proactively create their own exploits in those companies’ software. Like a construction worker building their own secret backdoor to a bank vault. McAfee could not determine whether this actually occurred: doing so would have required the affected companies to diligently cross-reference their existing code with pre-Aurora versions, while accounting for all the legitimate modifications made in the meantime.

And that wasn’t all: another piece of evidence sent the FBI and Google into a months-long battle. What Google had failed to disclose, from the beginning, is that their hackers also managed to break into servers containing many years’-worth of highly sensitive information on U.S. surveillance targets. American government officials who spoke to the Washington Post noted that this data would be useful to the Chinese military, to determine which of their spies had been compromised. Dave Aucsmith, a senior director at Microsoft at the time, found the same motives associated with his company’s hack.

And yet, neither the U.S. government, nor Google, or any of the other hacked companies would outright name the Chinese government as their attackers. In fact, amid talk of human rights abuses and caps on freedom of information, the author of the instigating Google blog post went out of their way to praise the Chinese government. Take, for instance, this paragraph:

We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech. In the last two decades, China’s economic reform programs and its citizens’ entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today.

Isn’t that a strange combination of sentences? Like telling a bully “I don’t like that you punched me in the face, but I loved your technique.” Just about everybody involved in Aurora did this same tightrope act, insinuating without blaming. And so, without any smoking gun evidence, that’s where things stood. For awhile.

A Personal Vendetta

By late 2010, as new evidence in the case slowed to a halt, the story of Operation Aurora fizzled out. Whatever was stolen was replaced. Whoever had stolen it had gotten away with their crimes.

Months passed. And then, beginning on November 28th, 2010, hundreds of thousands of U.S. State Department cables obtained by Chelsea Manning (then, Bradley Manning) were released through Julian Assange’s Wikileaks, then published, with names redacted, for the public. They suggested that the entire affair–all 35 hacks, billions in damages, trade secrets and more–originated with a single, high-ranking politician who didn’t like the result of his Google search. Quote:

Politburo Standing Committee member X recently discovered that Google’s worldwide site is uncensored, and is capable of Chinese language searches and search results. X allegedly entered his own name and found results critical of him. He also noticed the link from google.cn’s homepage to google.com, which X reportedly believes is an “illegal site.” X asked three ministries (note: most likely the Ministry of Industry and Information Industry, State Council Information Office, and Public Security Bureau.) to write a report about Google and demand that the company cease its “illegal activities,” which include linking to google.com.

According to U.S. State Department informants, this Chinese official, frustrated that a negative search result about himself could so easily be reached through Google’s Chinese site, discussed how to censor with other members of the Communist party. Representatives of the party told Google to remove the link to its uncensored, worldwide site from its Chinese home page. Google refused to do so. In response, the Chinese forced three of their major, state-owned telecommunications entities to not do any further business with the company, and initiated the first mass-scale, international, state-sponsored cyber heist in history.

In other words, it could be that although the struggle over cultural and political hegemony in China hangs over the story of Aurora like a dark shadow – it didn’t drive the actions of those involved. It didn’t drive Google to enter China, it didn’t drive China to push them out. As we saw, it’s probably also a part of a much larger business and/or military espionage campaign – and maybe even a sort of personal vendetta by an angry Politburo member. And even that is still not the whole picture.

Firstly, Baidu – China’s primary internet search provider – had a vested interest in seeing Google off. Even if Baidu had double Google’s market share, 30 percent of China’s 800 million internet users is still quite a lot for a company new to the market, without state backing. From the beginning, what Google represented posed a direct threat to what Baidu has always been. From the Cablegate memos, quote:

“The problem the censors were facing, however, was that Google’s demand to deliver uncensored search results was very difficult to spin as an attack on China, and the entire episode had made Google more interesting and attractive to Chinese Internet users. All of a sudden, X continued, Baidu looked like a boring state-owned enterprise while Google “seems very attractive, like the forbidden fruit.”

It’s possible that Baidu, in order to re-institute their monopoly, conspired with the government to oust their largest rivals. Another Cablegate memo, referencing an American informant in the country, reads, quote: “[the agent learned] that […] Politburo Standing Committee member X was working actively with Chinese Internet search giant Baidu against Google’s interests in China.”

“A Vanguard of an American Political Chess”

The day after Google’s blog post was released, In the early morning, bouquets of flowers were laid at the logo outside Google’s headquarters in Tsinghua Science Park, Beijing. Some of the flowers came with heartfelt notes. “Thank you for holding values over profits!” one read. “Google, the mountains can’t stop [us], and we’ll get over the wall to find you!”

As Google’s fans mourned the loss, Google employees worried not just for their jobs but their safety. Some had already been interrogated by the government. There was no stopping more interrogations, or even unlawful arrest and imprisonment.

Meanwhile, their government began a concerted effort to drive an unsympathetic narrative. From the leaked Cablegate memos, quote: “The immediate strategy, X said, seemed to be to appeal to Chinese nationalism by accusing Google and the U.S. government of working together to force China to accept “Western values” and undermine China’s rule of law.” End quote. It’s unclear whether this was a manufactured narrative, or the real belief of officials who assumed Google shared the same relationship with its home country as Baidu did its.

Chinese newspapers claimed that Google’s decision was mired in corporate failures and American political interests. The state-sponsored People’s Daily called the company a “spoiled child”. Another wrote, quote: “Government regulation is the international norm, so Google’s display is really just an affectation.” Another said, quote: “a lot of people welcomed the news, especially those Web users who think Google is not an entirely commercial entity, but is, rather, closely related to the government. As one person put it. ‘It calls itself a commercial firm but it has always been the vanguard of an American political chess.”

Google’s fight was about opening China to free information. When the government pushed for censorship, they pushed back. By shielding Gmail, and their other data-storing applications from their Chinese business, they prevented government intrusion into private user accounts. Even being in the country in the first place was a defiant step towards freedom.

Except most Chinese people, frankly, didn’t care.

At its height, in mid-2009, Google held just over a 30 percent market share–half that of their censored, state-sponsored competitor Baidu. Most of their base were tech-savvy, democracy-leaning, already using circumvention technologies to get around the Great Firewall before 2006. The rest of China: well, they were fine with the status quo. A survey conducted by Sina Weibo showed that four of every five Chinese citizens didn’t think Google’s departure from China would hurt the country’s IT industry. Isaac Mao, an expert on the internet in China, told CNN, quote: “You have two categories of Internet users in China. One strongly supports that Google is either staying here without censorship or pulling out of China to keep neutral and independent. But another layer, maybe 90 percent of Internet users in China, they don’t care whether Google leaves or not.”

So if most Chinese people didn’t feel strongly about Google or their pro-democracy stance, even three or four years in, what was Google actually accomplishing in China?

We know, inherently, that Google.cn was a profit-making venture, not a moral act. What if they looked at the numbers, the constant government pressure, the costs associated with complying, the negative press they were receiving worldwide for compromising on their supposed values, and decided it didn’t add up? An incident like Aurora is the perfect cover: a way to go out defiantly, fashioning a bottom-line decision as a moral stance.

Perhaps this is a cynical view. Perhaps, with a story so expansive as this, without all the evidence we’d need, it really is up to you to decide what’s real and what isn’t, what’s true about the characters of this play and what’s simply the posturing of powerful men with selfish intent. Before you make up your mind, though, let me finish the story…

“Don’t Be Evil”

As we come to an end here, we return to January 12th of 2010, the day it all began. Not long after their initial announcement, in an act of defiance, all Google.cn queries were directed through their non-censored Hong Kong search engine, Google.hk. On March 30th, all Google sites were placed behind China’s Great Firewall, and any attempt to use them would result in a DNS error. This, effectively, ended Google China. By 2013, the company retained a national market share below two percent.

And this is how it remained. At least…until last year, when The Intercept revealed a secret Google project: to re-establish a fully censored version of their search engine for use in China. Code named “Dragonfly”, the project began in Spring 2017, accelerated in 2018, and was set for release in 2019. Only select employees were told about Dragonfly, and made to sign nondisclosure agreements. Over two years, company executives, including CEO Sundar Pinchai, met with high-ranking Chinese officials. The new Google China would follow all the rules: no pornography, no Tianenmen Square, no George Orwell. A demo app for Android was developed, and submitted for approval by the government. All behind closed doors.

When protests flared in response to the news of Dragonfly, employees and other protesters were quick to remind Google of their longtime, unofficial slogan–a phrase coined in their code of conduct, in grained in their mythos. The slogan is: “don’t be evil”, and it was cited in the preface to Google’s Code of Conduct.

In July 2019, Google terminated DragonFly, at least for now. A year earlier, In Spring 2018, it quietly removed the phrase “don’t be evil” from the preface of its code of conduct. It’s still there, but now only mentioned in passing, in the very last line of the document.