Anonymous sources claim discovery of Aurora Malware authorby Steve Ragan - Feb 22 2010, 14:00
Despite what seems to be a break in the Operation Aurora case, questions remain after a report in the Financial Times claiming that the person responsible for the development of at least some of the Malware code used in the attacks on Google and several others has been located.
The Financial Times ran a story early Monday morning that said U.S. researchers are closing in on the author who developed the Malware used against Google and at least twenty other companies. The attacks, dubbed Operation Aurora by McAfee and the media, initially placed the blame on China, but further analysis leaves those claims thin.
Now it is said that U.S. researchers have discovered the Chinese author of the Malware used in Aurora, a development that the Financial Times says will make it, “harder for the Chinese government to deny involvement.”
The story references remarks given to the Financial Times by an unnamed researcher working for the U.S. government, and says that a freelance security consultant in his 30’s wrote part of the Aurora Malware.
According to their unnamed source, the consultant posted his code to a known hacking forum, and as a result, Chinese officials had access to it. The story also cited the unnamed researchers as saying that the man who wrote code to take advantage of the browser flaw is not a full-time government worker. In addition, he did not launch the attack, and preferred it not be used in such offensive efforts. Considering he posted snippets of his work-in-progress to a forum known to be related to malicious research, his expectations seem to be a little off.
The Malware exploited the now infamous Internet Explorer flaw, and as a result, allowed remote access into systems operated by Google and several others resulting in unknown losses, which are said to include intellectual property. In addition, the attacks were also said to have targeted human rights activists located in China and abroad.
The Financial Times’ report also makes mention of the two schools allegedly connected to the Aurora attacks. First reported by The New York Times, another set of unnamed sources said that the Shanghai Jiaotong University and the Lanxiang Vocational School in Shandong Province are being implicated in the attacks on Google earlier this year. Both schools have accused The New York Times of embellishing the story, calling their claims false.
In the case of both stories, there is plenty to debate about. At the same time, there is nothing solid in the way of evidence. While anonymous sources can be reliable, they usually come with some solid proof so that they can still back their claims without lending their name to them. Neither of the stories surrounding the latest development have these aspects.
In the Financial Times’ story, there is no proof that the code discovered isn’t the same code already rumored to have been circulating long before the Aurora attacks took place. Microsoft admitted that the flaw exploited was disclosed to them long before it was used against Google. Moreover, just because the Chinese government had access to the forum where the code was posted, does not prove they used it to launch an attack.
It has to be considered that while those who attacked Google and the others deserve to be punished, it is all but impossible to pin the blame solely on the Chinese government. The more likely case is two fold.
The attacks were launched by a person or group within China, who were acting on their own. The information harvested is valuable, whether it is sold to the government or on the open market. That alone is reason for attack.
The other option is that the attack came from outside China, but thanks to lackluster policy and law, they used BNC services along with dynamic hosting to plant blame on China, since their stance on monitoring their own people as well as foreigners is well established. In essence, China is the perfect patsy for the crime.
No mater what, the whole China and Digital Cold War problem is in the political arena, and because of that, anything that will make either government look good is going to make the news.
Since the attacks were made public, there have been speeches, legislation, and plenty of media spin. On top of that, in the IT world, there has been a boom in sales pitches using the attacks as a platform to move product. Yet, over a month has passed since the initial attacks and we are no where closer to proving who pulled off the network intrusions and laced the companies with Malware.
At the same time, if such evidence exists, then why hide it? If there is solid proof detailing the methodology, tactics, motive, as well as the perpetrator the attack itself, then there is valuable insight and data to be gained by it, and you can’t get that with anonymous sources.
With that in mind, the alleged discovery of the author behind the Malware used in Aurora should be taken with a large grain of salt.