Researchers: Google Aurora Attackers Back in Business?

Just when you thought it was safe to go back in your e-mail…Researchers say a new round of targeted attacks appear to come from the same group responsible for attacks against Google and other top U.S. firms.

Just when you thought it was safe to go back in your e-mail…Researchers say a new round of targeted attacks appear to come from the same group responsible for attacks against Google and other top U.S. firms.

Writing on the Symantec Security blog (https://threatpost.com/researchers-google-aurora-attackers-back-business-091310/), researcher Karthik Selvaraj said that evidence collected on a new round of targeted attacks share many of the same fingerprints as the so-called Aurora attacks in late 2009 (https://threatpost.com/inside-aurora-google-attack-malware-011910/). Symantec believes the two attacks to be of the same origin. 
The latest attacks appear to date back at least to the beginnning of this month, when researchers say they began seeing attacks leveraging the recent Adobe 0 day vulnerability in PDF Reader that used social engineering attacks – in particular: specially crafted e-mail messages that contained a malicious PDF file attachment. Adobe warned last week about attacks, in the wild, that used a new zero day flaw in the PDF Reader and Acrobat software. (https://threatpost.com/new-adobe-pdf-zero-day-flaw-under-attack-090810/)
Writing for Symantec, Selvaraj noted that the wording of the e-mail messages was very similar to those associated with the Aurora attacks. The PDFs used in the attack were unlike others leveraging the zero day flaw that had been found in the wild, and all traced back to a single computer in Shandong Province, China. Furthermore, malicious components downloaded as part of the attack were similiar or identical for each of the PDFs traced to the computer in Shandong Province, Symantec said. 
Analysis of the malware used in the Aurora attacks pointed to China (https://threatpost.com/aurora-attack-malware-components-may-be-four-years-old-012010/) as the source of the attacks. And, in February, 2010, media reports (anonymously) linked two schools in Shandong Province to the Google Aurora attacks. Security researchers have theorized that the Chinese government may be behind the Aurora attacks, or tacitly complicit with them, as it looks to gain access to sensitive intellectual property, as well as insight into the actions and intentions of foreign governments, as well as domestic groups that it considers a threat to the governing Communist Party. 
The attacks have already prompted much soul searching on the part of Google and the U.S. Government, which has raised the alarm (https://threatpost.com/thumb-drive-attack-2008-compromised-classified-us-networks-082610/) about the dangers posed by state sponsored actors and so-called “Advanced Persistent Threats.”
The 

Security researchers say that a new wave of attacks suggests that the malicious hackers behind a security compromise at Google and a number of other prestigious U.S. firms are back in business, this time using an unpatched security flaw in Adobe’s PDF (Portable Document Format) Reader application. 

Writing on the Symantec Security blog, researcher Karthik Selvaraj said that evidence collected on a new round of targeted attacks share many of the same fingerprints as the so-called Aurora attacks in late 2009. Symantec believes the two attacks to be of the same origin. 

The latest attacks appear to date back at least to the beginning of this month, when researchers say they began seeing attacks leveraging the recent Adobe 0 day vulnerability in PDF Reader that used social engineering attacks – in particular: specially crafted e-mail messages that contained a malicious PDF file attachment. Adobe warned last week about attacks, in the wild, that used a new zero day flaw in the PDF Reader and Acrobat software.

Writing for Symantec, Selvaraj noted that the wording of the e-mail messages was very similar to those associated with the Aurora attacks. The PDFs used in the attack were unlike others leveraging the zero day flaw that had been found in the wild, and all traced back to a single computer in Shandong Province, China. Furthermore, malicious components downloaded as part of the attack were similiar or identical for each of the PDFs traced to the computer in Shandong Province, Symantec said. 

Screenshots of e-mail messages used in the attacks posted on the Symantec blog show solicitations interviews with “Chinese experts” who can “comment on the Six-Party Talks,” and a request for an interview with an expert on “the latest human rights and North Korean politics.” 

Analysis of the malware used in the Aurora attacks pointed to China as the source of the attacks. And, in February, 2010, media reports (anonymously) linked two schools in Shandong Province to the Google Aurora attacks. Security researchers have theorized that the Chinese government may be behind the Aurora attacks, or tacitly complicit with them, as it looks to gain access to sensitive intellectual property, as well as insight into the actions and intentions of foreign governments, as well as domestic groups that it considers a threat to the governing Communist Party. 

The attacks have already prompted much soul searching on the part of Google and the U.S. Government, which has raised the alarm  about the dangers posed by state sponsored actors and so-called “Advanced Persistent Threats,” and set up a Cyber Command to centralize cyber defensive and offensive capabilities across the military.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.