Was Operation Aurora really just a conventional attack?by Steve Ragan - Jan 27 2010, 23:30
Operation Aurora, the moniker given to the attacks on Google and several others, has developed into a security nightmare and political chess game. With so many questions left unanswered, there is still no clear proof that Aurora was a government attack. In truth, public information points not to a sanctioned attack by the Chinese government, but Malware kits and criminals keeping with tradition.
There are a lot of questions surrounding the Aurora attacks. From the very start, after internal investigations at Google, the blame was quickly placed on China. Further Malware analysis from several independent security researchers supported this theory. Yet, despite all the research and news, the evidence simply can’t hold the weight that China’s government condoned or ordered the attacks.
The Tech Herald, working alongside private security analyst Michael Felch, dove into the public information surrounding Aurora, looking for something other than code samples and domain names as proof that China’s government attacked U.S. businesses. What we found wasn’t evidence of a government attack, but something far less sinister -- namely, common cybercriminals doing what they do best.
Peng Yong and Aurora
The name Peng Yong surfaced several times during background research. Yong is an interesting person when you place him in context with cybercrime. In 2008, he was linked by way of domain and IP registrations to a series of attacks on foreign and U.S. government entities. According to a BusinessWeek report, Yong owned the domain '3322.org', a dynamic DNS service that was later used by criminals to give Malware a location on the Web to reach out to in order to receive additional payloads or instructions.
If the 3322.org domain rings a bell, that’s because it, along with Yong’s '8866.org' and '2288.org', has been linked to the Malware from Aurora -- also known as Hydraq, the name given to the Trojan used during the Aurora attacks. Similar domains owned by Yong, such as '9966.org' and '8800.org', were listed as domains to block by CERT in a 2008 report in order to protect private sector networks from Spear-Phishing attacks.
Peng Yong is also linked, by personal information, professional information, and email address, to demonstrated knowledge of memory allocation and error checking when it comes to microcontrollers. This is important if you consider the nature of the 16-bit CRC algorithm discovered by Joe Stewart.
When examining the code for Hydraq, Stewart noted that he found a CRC (cyclic redundancy check) algorithm that is virtually unknown outside of China.
“Perhaps the most interesting aspect of this source code sample is that it is of Chinese origin, released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers,” noted Stewart, concluding that in his opinion that “the use of this unique CRC implementation in Hydraq is evidence that someone from within the PRC authored the Aurora codebase.”
When BusinessWeek asked Yong how he deals with malicious acts on his services by others, he commented that: “Normally, we take care of these problems by shutting them down. Because our laws do not have an extremely clear method to handle this problem, sometimes we are helpless to stop their services.”
As Yong told BusinessWeek, he is not responsible for what his customers use the domains for. He is correct and, until proven otherwise, he must be assumed completely innocent. It wouldn’t be fair to blame him for the actions of others. Still, the past links to cybercrime incidents and professional knowledge is compelling.
So the question is what role does Yong play? Is he a victim here because his services are being used by criminals, or is he simply looking the other way?
Digging deeper and knowing how Yong ties into all of this would help narrow down the list of suspects. How hard would it have been to track the offending domains back to Yong and obtain the legal documents needed to check logs and customer records?
Considering that a few searches turn up Yong's name rather quick, why hasn’t anyone else done this, and if they have, where is the information?
During the course of our research, The Tech Herald spoke with Dmitri Alperovitch, the vice president of threat research at security vendor McAfee. We asked about Yong, and mentioned who he was in relation to 8866.org. Alperovitch said McAfee had not been in contact with him, and made no mention that the security provider was aware of any contact with Yong by anyone else in the industry.
To date there is a list of domains, including some from China and CRC code being used as the main source of accusal. That’s all. Nothing made public so far offers solid evidence of a state-sponsored attack by the People’s Republic of China.
However, when you look at the other domains noted in the Aurora research, as well as the attacks that came later using similar Malware alongside the Internet Explorer vulnerability, the cast of suspects grows to enormous proportions.
Common cybercriminals use dynamic DNS too
When the other Aurora-related domains are examined, the one pattern that sticks out is the use of Dynamic DNS services. The domains 'homelinux.org' and 'homeunix.com' for example, both running on Dyn Inc’s DynDNS network, were used several times during the Aurora incident.
The usage of dynamic services is important to note, because criminals use them all the time. Furthermore, they also change rapidly, so without quick incident response, the IP addresses using the DNS services can evaporate into thin air.
Criminals use dynamic DNS services because they are affordable and fast. There is little effort needed to manage one, and if it is dropped, there is no real loss. In the past, attacks have been carried out using these types of services ranging from Spam to Phishing. Botnet owners will use dynamic DNS for C&C (Command and Control) operations, and, as seen in the attacks on Google and the others, they can be used to hide as well.
Looking back to the public information available on the Aurora incident, there is no mention of any attempt to track down the person or persons who registered the dynamic domains and used them during the attack.
Dyn Inc. has a strict policy against malicious usage of its network, and a clear path to abuse notifications. With that in mind, we asked Dyn Inc. whether it was contacted in relation to the Aurora investigation.
It confirmed that it is part of the investigation, and is currently working with law enforcement, the affected companies, and security vendors. When it comes to abuse, Dyn Inc. also confirmed that it has “one of the most responsive abuse departments you're going to find anywhere in the world.”
Moreover, when it comes to attacks and reports of abuse, “the evidence part is the key piece,” internal documents written by Dyn Inc’s customer support manager Chris Widner explain. “We will not act if they simply say, ‘these are bad’ and don't provide proof.”
Considering that the dynamic domains were gone by the time the Aurora attacks were made public, there are two possibilities: Either the criminals dropped the links, or Dyn Inc. got the proof it needed and killed services. If there was proof of malicious activity, and said proof could be used to link something to China’s government, why keep it from the public?
It is entirely possible to show proof, or mention how you came to the damning conclusion that an attack was government sponsored without naming names or locations. Based on Dyn Inc's track record of being open, if there was a smoking gun from the investigation into the dynamic domains, it has been effectively silenced from talking about it.
The attackers used new and old tricks – just like everyone else
The actual attack on Google and the others victims, where Aurora gets its name from, has had a lot of debate and coverage in the press. However, this coverage has gone from waiting for more information, to political debates and service pitches.
What was it about the attack that points the finger squarely towards China? Leaving out the CRC code discovery and setting aside Google’s now infamous announcement about the attacks, where is this supposedly smoking gun?
The attackers used a Zero-Day vulnerability in Internet Explorer to plant the Malware. However, this type of approach isn’t used by Chinese criminals alone.
Zero-Day flaws are used by criminals all over the world -- all the time. Flaws in Microsoft Office, Internet Explorer, and Adobe Reader have been used countless times to spread Malware. Sometimes the goal is the theft of intellectual property, and other times that isn’t the case at all.
The latest news on Aurora indicates the attackers used IM programs and social networking contacts to build trust and lure insiders at the targeted companies to click links or access files that later infected their systems. This is a neat angle for a news story, but again the approach is nothing that hasn’t been done before.
This is no different than someone hijacking a Facebook account and posting a malicious link to the wall of every friend associated with said account. In the end, all of the attack methods mentioned by the press have been going around for years, and security experts know this.
We asked Alperovitch about the Malware seen during the Aurora investigation. We learned some interesting things, including that McAfee isn’t working with everyone impacted by the attacks, but it is working with a good deal of them.
“We’re in various stages of helping different victim companies,” he said.
When asked if there were 30 companies, and if McAfee had collected samples from each of them, he explained, “I don’t believe that there are 30 companies; I think the right number is around 20.”
“We are at various stages of trying to identify the infection points at many of these companies. Right now we are probably dealing with around 15 different pieces of Malware that we’ve gotten,” he added.
As for the Malware itself, Alperovitch said McAfee is seeing a customized version at each of the infected companies. In some cases, there are different variants of the Aurora Malware within different companies. Moreover, some of the code has different generations as new capabilities are added.
Placing the blame
So aside from the aforementioned code snippet, and claims made by one of the organizations attacked, nothing in the actual attack vector can be linked directly to China. If the claims that the Chinese government launched or approved the attack are based on IP addresses, or lack of action to track the perpetrators, then there is currently no proof at all.
We asked Alperovitch about the code snippet in an attempt to learn if McAfee has seen the same pattern as Stewart.
“We’ve seen that code present in the Malware, but I wouldn’t be so quick as to draw the conclusions that have been drawn from that. That code is widely available, it has been used in a number of legitimate and illegitimate products, so I think that if you’re trying to blame China for this just because of the presence of [public code] on some Chinese website, I think that’s a tenuous connection at best,” he said.
IP addresses can be forged. The use of dynamic services makes tracking an attacker tremendously difficult, if not impossible depending on the number of BNCs and dynamic services used. How hard would it be to forge IP addresses and develop Malware using Chinese code?
Consider the attack patterns used durng Aurora, the Malware discovered by McAfee, which has been customized and tailored towards a specific target, the variants of the Hydraq code being spread online and targeting average Internet users, and you begin to see a pattern. All of this stands out as the work of a Malware kit, much like the Zeus kit, which can be tailored towards a mass audience or a single victim.
Then you have the attacks themselves. Aside from simply cracking several networks, the criminals wanted information.
Intellectual Property (IP) is a valuable commodity, and criminals are doing a brisk business when it comes to stealing it and selling it on. And don't forget the other aspect of the Aurora incident, the human rights activists; stealing information from them or about them would sell just as well on an open market. The point being, information is gold. Everyone wants it, criminals and governments alike.
Governments looking to engage in a little espionage would use Malware kits, this is true, but they would also be more likely to hide and rarely would they leave so many obvious clues. Typical criminals, on the other hand, would use the kits as well, and if the attack was more of a snatch-and-grab opportunity, they probably wouldn't care about evidence being left behind.
The interesting fact in all of the Aurora coverage is that information related to the incident is tightly controlled in some cases, and completely missing in others. You cannot blame McAfee for keeping its cards close to its chest on this one. The vendor has “very strict confidentiality agreements” with every single company it works with. You cannot blame Google either.
However, it is odd that the detailed data available on the Malware and overall Aurora incident is scattered and made available, thanks mostly to the efforts of independent researchers. Considering all the security vendors quick to team up and fight Conficker, where is the Cabal for Aurora?
This whole incident would be a great source of information for organizations to learn about threats to intellectual property, incident response, risk management, and so on. Yet, the information blackout leaves business leaders in the dark, and the political war being waged in the press between China and the U.S. does nothing but spread confusion and offers little technical value.
At the end of the day, when you consider all that has come to light, Aurora could have easily been the work of a team of people or just a single person. There just isn't anything there to make the charges stick against the Chinese government.
[This editorial is the opinion of Steve Ragan and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to email@example.com. In addition, Michael Felch, a security analyst with a strong background in software development and corporate IT management, contributed to this article. Michael can be contacted at Michael@GovernmentTransparency.net.]