Operation Aurora — Google + 30 US technology firms

What happened

Beginning in mid-2009, a sophisticated intrusion campaign targeted at least 34 US companies including Google, Adobe Systems, Juniper Networks, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, and Dow Chemical. The campaign was named “Aurora” after a string found in the malware’s source code. Victims only became aware of it when Google investigated an unusual compromise of Gmail accounts belonging to Chinese human-rights activists and discovered the intrusion led back into its own corporate infrastructure.

On 12 January 2010, Google published an extraordinary public statement by its Chief Legal Officer David Drummond acknowledging a “highly sophisticated and targeted attack” originating from China, stating that the attackers had accessed source code repositories and compromised the Gmail accounts of activists, and announcing that Google was “no longer willing to continue censoring” its Chinese search results and was prepared to exit mainland China if necessary. Within days, dozens of other victims confirmed similar compromises. The US State Department formally summoned the Chinese ambassador to explain.

The breadth of the victim list — technology firms, defence contractors, financial institutions — made clear this was not opportunistic crime but a targeted intelligence-collection operation directed at US strategic and commercial interests. Security firm McAfee named the campaign publicly, and its CTO Dmitri Alperovitch coined the term “Aurora”. The operation was later attributed to a Chinese state-sponsored threat actor subsequently tracked by various researchers as the Elderwood Group, APT17, and related clusters within China’s signals intelligence apparatus.

How it worked

The initial infection vector was spear-phishing: targeted emails sent to specific individuals at victim organisations. The emails typically contained either a malicious link or an attachment that, when interacted with using Internet Explorer, triggered an unpatched vulnerability (CVE-2010-0249) in the browser’s handling of certain JavaScript objects. The vulnerability affected Internet Explorer 6, 7, and 8, making the attack window broad across corporate environments of the period. Microsoft issued an emergency out-of-band patch in late January 2010, but by then the campaign had been running for months.

Once the exploit fired, it dropped a custom backdoor known as Hydraq (also called McRAT) onto the victim’s machine. Hydraq communicated back to command-and-control infrastructure hosted in Taiwan and communicated over HTTPS to blend in with normal business traffic. The attackers used the initial access to pivot laterally through corporate networks, locating and exfiltrating source code repositories, intellectual property databases, and in some cases the contents of specific email accounts.

The targeting of Gmail accounts belonging to Chinese dissidents and activists pointed to a second, parallel objective distinct from commercial espionage. The accounts in question were associated with individuals who were subjects of Chinese government surveillance interest. The two objectives — corporate intellectual property theft and political surveillance — were apparently served by the same intrusion infrastructure operating simultaneously.

The attackers demonstrated strong operational security throughout the campaign, using encrypted channels, living off legitimate services for command-and-control, and maintaining access for months at some victims before Google’s investigation surfaced the scope of the operation. Later analysis identified an Elderwood “platform” — a shared exploitation infrastructure that provided zero-day exploits to multiple Chinese state-linked groups on a supply-chain model, explaining both the sophistication of the tooling and the breadth of simultaneous targeting.

Timeline

• Mid-2009 — Campaign begins; attackers establish initial access at multiple target organisations.
• Late 2009 — Google security team identifies unusual access to Gmail accounts of Chinese human-rights activists and begins investigating.
• December 2009 — Google attributes the intrusion to China after forensic analysis; internal decision-making about public disclosure begins.
• 12 January 2010 — Google publishes its public statement, names China as the origin, discloses the intellectual property theft and activist account targeting, and signals potential exit from mainland China.
• 13 January 2010 — US Secretary of State Hillary Clinton calls on China to explain the attacks; the State Department summons the Chinese ambassador.
• 14 January 2010 — McAfee publishes its technical analysis naming the campaign “Aurora”; confirms 20+ victim organisations.
• Late January 2010 — Microsoft releases an emergency out-of-band patch for CVE-2010-0249; Germany and France advise citizens to stop using Internet Explorer.
• March 2010 — Google redirects Chinese search traffic to its Hong Kong servers, effectively exiting mainland China search operations after negotiations with Beijing failed.
• 2013 — Mandiant’s APT1 report provides broader context for Chinese state-sponsored espionage campaigns using similar infrastructure.

What defenders should learn

Operation Aurora established several principles that remain essential. The most immediate is the risk of unpatched browsers in corporate environments. CVE-2010-0249 was a zero-day when Aurora began, but zero-days become known quantities quickly — the window between a vulnerability being weaponised by an advanced actor and it becoming widely available to less sophisticated attackers is measured in weeks. Rapid patching of internet-facing client software, particularly browsers, is a basic control that directly narrows the exploitation window.

The dual targeting — corporate source code and political dissidents’ email accounts — illustrated a pattern that has become central to understanding Chinese state-sponsored espionage: the state and commercial intelligence interests are served simultaneously by the same operations. Defenders at technology companies should consider that intellectual property and politically sensitive communications are both high-value targets, and that access to corporate infrastructure may be sought partly because it provides access to users of that infrastructure.

The Aurora campaign also exposed the inadequacy of incident confidentiality norms of the period. Before Google’s disclosure, victims were managing their breaches privately; the public announcement caused other victims to step forward, substantially expanding the known scope and enabling defenders across the industry to check for the same indicators. The strategic decision to disclose publicly — and to name the state responsible — was deeply unusual for a private company and is now studied as a model for when and how corporate cyber-disclosure can serve a broader public interest.

Finally, lateral movement from a single phishing compromise to source code repositories points to network segmentation failures that remain common. Source code, product roadmaps, and research databases are crown-jewel assets that should sit behind access controls distinct from the general corporate network a spear-phished employee laptop can reach. The question every technology company should ask after reading about Aurora is: starting from a laptop compromise in the general corporate network, what would it take for an attacker to reach the source code?