In response to a Freedom of Information Act request for information about the Operation Aurora attack on Google and other organizations in 2009 the Department of Homeland Security released hundreds of pages of documents related not to that attack campaign, but to the Aurora project run at Idaho National Lab years earlier in which engineers destroyed a generator with a cyber attack as a demonstration.
The FOIA request from the staff at MuckRock was sent in May and asked for any documents that DHS had on Operation Aurora, a string of attacks against Google, Adobe and other high profile companies that Google later detailed publicly. The attacks were among the first targeted attacks against large organizations to be acknowledged publicly and other companies have since followed suit. MuckRock requested anything that DHS possessed about the attacks.
“I seek to obtain copies of material in the possession of the United States Department of Homeland Security – whether it be physical hard-copy, electronic format or another applicable format – which describes, cites, identifies, depicts or is particular to Operation Aurora or Elderwood Group, or other substantive documented correspondence describing, or specific to, the aforementioned subject, dated 1 June 2009 through 1 January 2012,” the MuckRock request says.
“Operation Aurora consisted of coordinated Internet-based malicious activities and associated behavior against identified targets utilizing specialized malicious software. Targets cited in material and identified in media outlet articles describing Operation Aurora include Adobe Systems, Northrop Grumman, Juniper Networks and Rackspace.”
Rather than responding with the requested documents, or a letter saying none were found, DHS replied on July 1, enclosing more than 800 pages of documents related to the Control Systems Security Program at DHS. The documents consist of slide decks with background on cyber threats and attacks, including the Mariposa botnet and Stuxnet, and page after page of internal weekly summary reports. There also are mitigation timelines for the Aurora project.
Perry Pederson, who was director of the CSSP at DHS at the time the test was conducted in 2007, said in a blog post that the documents illustrate the difficulty and challenge of the test.
“Set aside for the moment the vulnerability itself and you’ll see in these documents a massive effort to apply the public/private partnership model to a real problem. Many U.S. Government agencies were briefed as well as public entities. DHS worked through the North American Electric Reliability Corporation (NERC) and the Nuclear Energy Institute (NEI) in an effort to reach potential targets of Aurora type attacks,” Pederson wrote.
“The one thing that may not be so clear in the released documents is the basic engineering that when into assessing the vulnerability in the first place. Yes, the ‘hack’ was fairly trivial when you have the necessary engineering background and access to substation equipment, but discovering the Aurora vulnerability took a lot of work by a dedicated team of talented engineers.”
The Idaho National Lab test created a huge stir in the security community and the industrial control and SCADA worlds at the time. The video of the generator shaking and smoking was posted across the Web and shown on CNN for days.