Report: Aurora attack was tested last summer

Latest report on attacks targeting Google and others calls it just another "old school" botnet.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

The attacks on Google and others late last year weren't as sophisticated as initially believed and appear to have cropped up last summer, according to a report to be released Tuesday by security firm Damballa.

Damballa is just the latest company to analyze the attacks and offer an opinion. McAfee dubbed the attacks "Operation Aurora" and said they were highly complex and advanced.

"While 'Aurora' was a very damaging attack that breached some of the most sophisticated networks in the world, it is a 'garden variety' botnet and can be traced back to July 2009, when the criminal operators first began testing," Damballa said in a release.

Damballa analyzed the command-and-control activity used in the attacks, whereby compromised PCs receive instructions from outside servers, allowing them to be remotely controlled.

While the techniques used in the attack are "old school," according to Damballa, the scope of the attack--targeting so many high-profile companies simultaneously--is significant. In addition to Google, Adobe Systems, Juniper Networks, and Rackspace have confirmed that they were targeted, while sources and reports have said Yahoo, Symantec, Northrop Grumman and Dow Chemical were among the more than 30 targets.

Google disclosed the attack on its network in January and said intellectual property had been stolen the month before. It also said Gmail users who are human rights activists had been targeted separately, and that, as a result, it would stop censoring its China Web results and might pull out of the country entirely. China has denied any involvement in the attacks.

Other reports have found links to China, though no one has outright accused the Chinese government of being behind the attacks.

"Damballa does not have firsthand knowledge of our investigation," a Google representative said in an e-mail. "Beyond that, we are not going to comment on our ongoing investigation. We stand behind our original statement."

The Damballa report said a university in China and a Chinese collocation facility were "critical early incubators of the infection," the attacks originated from a Chinese botnet operations team, and portions of the infection originated from within Google China's offices.

The report also concluded that the attack can be traced back to last July with what appears to be the first testing of the botnet by its operators. In addition, the botnet appears to have made use of e-mail services to extract stolen data from breached organizations and there is evidence that there were multiple operators involved, Damballa found.

Updated at 9:00 a.m. March 2 with comment from Google.

Corrected at 7:00 a.m. March 8 to remove reference to the Rand Corporation being a target in the attacks.