Operation Aurora

File:IllegalFlowerTribute1.jpg's headquarters after its announcement it might leave the country.]]

On January 12, 2010, Google revealed on its weblog that it had been the victim of a cyber attack. The company said the attack occurred in mid-December and originated from China. Google stated that more than 20 other companies had been attacked; other sources have since cited that more than 34 organizations were targeted. As a result of the attack, Google said it was reviewing its business in China. On the same day, United States Secretary of State Hillary Clinton issued a brief statement condemning the attacks and requesting a response from China.{{cite web|url=https://www.state.gov/secretary/rm/2010/01/135105.htm|archive-url=https://web.archive.org/web/20100116101958/http://www.state.gov/secretary/rm/2010/01/135105.htm|url-status=dead|archive-date=2010-01-16|title=Statement on Google Operations in China|last=Clinton|first=Hillary|date=2010-01-12|publisher=US Department of State|access-date=17 January 2010}}

On January 13, 2010, the news agency All Headline News reported that the United States Congress plans to investigate Google's allegations that the Chinese government used the company's service to spy on human rights activists.{{cite web|url=http://www.allheadlinenews.com/articles/7017511426?Congress%20to%20Investigate%20Google%20Charges%20Of%20Chinese%20Internet%20Spying|title=Congress to Investigate Google Charges Of Chinese Internet Spying|publisher=All Headline News|date=13 January 2010|access-date=13 January 2010|url-status=dead|archive-url=https://web.archive.org/web/20100328165130/http://www.allheadlinenews.com/articles/7017511426?Congress%20to%20Investigate%20Google%20Charges%20Of%20Chinese%20Internet%20Spying|archive-date=28 March 2010}}

In Beijing, visitors left flowers outside of Google's office. However, these were later removed, with a Chinese security guard stating that this was an "illegal flower tribute".{{cite magazine |last1=Osnos |first1=Evan |title=China and Google: "Illegal Flower Tribute" |url=https://www.newyorker.com/news/evan-osnos/china-and-google-illegal-flower-tribute |access-date=10 November 2020 |magazine=The New Yorker |date=14 January 2010 |archive-date=27 July 2022 |archive-url=https://web.archive.org/web/20220727192741/https://www.newyorker.com/news/evan-osnos/china-and-google-illegal-flower-tribute |url-status=live }} The Chinese government has yet to issue a formal response, although an anonymous official stated that China was seeking more information on Google's intentions.{{cite news|url=http://www.chinadaily.com.cn/china/2010-01/13/content_9316162.htm|title=Chinese govt seeks information on Google intentions|date=2010-01-13|agency=Xinhua|work=China Daily|access-date=18 January 2010|archive-date=2020-03-24|archive-url=https://web.archive.org/web/20200324060050/http://www.chinadaily.com.cn/china/2010-01/13/content_9316162.htm|url-status=live}}

{{Further|Cyberwarfare and China}}

Technical evidence including IP addresses, domain names, malware signatures, and other factors, show Elderwood was behind the Operation Aurora attack. The "Elderwood" group was named by Symantec (after a source-code variable used by the attackers), and is referred to as the "Beijing Group" by Dell Secureworks. The group obtained some of Google's source code, as well as access to information about Chinese activists.{{cite web|last=Nakashima|first=Ellen|title=Chinese hackers who breached Google gained access to sensitive data, U.S. officials say|url=https://www.washingtonpost.com/world/national-security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_story.html|work=WashingtonPost|access-date=5 December 2015|archive-date=20 May 2020|archive-url=https://web.archive.org/web/20200520033127/https://www.washingtonpost.com/world/national-security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_story.html|url-status=live}} Elderwood also targeted numerous other companies in the shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors.{{cite web|last=Riley|first=Michael|title=Hackers Linked to China's Army Seen From EU to D.C.|url=https://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.html|publisher=Bloomberg|access-date=24 February 2013|author2=Dune Lawrence|date=26 July 2012|archive-date=11 January 2015|archive-url=https://web.archive.org/web/20150111064254/http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.html|url-status=live}}

The "APT" designation for the Chinese threat actors responsible for attacking Google is APT17.{{cite web | url=https://www.zdnet.com/article/apt-doxing-group-expose-apt17-as-jinan-bureau-of-chinas-security-ministry/ | title=APT-doxing group exposes APT17 as Jinan bureau of China's Security Ministry | website=ZDNet | access-date=2024-02-19 | archive-date=2024-02-19 | archive-url=https://web.archive.org/web/20240219134114/https://www.zdnet.com/article/apt-doxing-group-expose-apt17-as-jinan-bureau-of-chinas-security-ministry/ | url-status=live }}

Elderwood specializes in attacking and infiltrating second-tier defense industry suppliers that make electronic or mechanical components for major defense companies. Those companies then become a cyber "stepping stone" to gain access to the major defense contractors. One attack procedure used by Elderwood is to infect legitimate websites frequented by employees of the target company – a so-called "water hole" attack, just as lions stake out a watering hole for their prey. Elderwood infects these less-secure sites with malware that downloads to a computer that accesses the site. After that, the group searches inside the network to which the infected computer is connected, finding and then downloading executives' e-mails and critical documents on company plans, decisions, acquisitions, and product designs.

In its weblog posting, Google stated that some of its intellectual property had been stolen. It suggested that the attackers were interested in accessing Gmail accounts of Chinese dissidents. According to the Financial Times, two accounts used by Ai Weiwei had been attacked, their contents read and copied; his bank accounts were investigated by state security agents who claimed he was being investigated for "unspecified suspected crimes".{{cite news |url=http://www.ft.com/cms/s/0/c590cdd0-016a-11df-8c54-00144feabdc0.html |title=The Chinese dissident's 'unknown visitors' |author=Anderlini, Jamil |work=Financial Times |date=January 15, 2010 |access-date=February 1, 2010 |archive-date=September 10, 2010 |archive-url=https://web.archive.org/web/20100910075747/http://www.ft.com/cms/s/0/c590cdd0-016a-11df-8c54-00144feabdc0.html |url-status=live }} However, the attackers were only able to view details of two accounts and those details were limited to information such as the subject line and the accounts' creation date.

Security experts immediately noted the sophistication of the attack. Two days after the attack became public, McAfee reported that the attackers had exploited purported zero-day vulnerabilities (unfixed and previously unknown to the target system developers) in Internet Explorer and dubbed the attack "Operation Aurora". A week after the report by McAfee, Microsoft issued a fix for the problem,{{cite web|url=http://www.microsoft.com/technet/security/advisory/979352.mspx|title=Microsoft Security Advisory (979352)|date=2010-01-21|publisher=Microsoft|access-date=26 January 2010|archive-date=2011-09-03|archive-url=https://web.archive.org/web/20110903163326/http://www.microsoft.com/technet/security/advisory/979352.mspx|url-status=live}} and admitted that they had known about the security flaw used since September. Additional vulnerabilities were found in Perforce, the source code revision software used by Google to manage their source code.{{cite web|url=https://www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf|title=Protecting Your Critical Assets, Lessons Learned from "Operation Aurora", By McAfee Labs and McAfee Foundstone Professional Services|website=wired.com|access-date=2017-03-10|archive-date=2016-04-29|archive-url=https://web.archive.org/web/20160429214018/http://www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf|url-status=live}}{{cite magazine|url=https://www.wired.com/threatlevel/2010/03/source-code-hacks/|title='Google' Hackers Had Ability to Alter Source Code|magazine=Wired|access-date=27 July 2016|last1=Zetter|first1=Kim|archive-date=29 January 2014|archive-url=https://web.archive.org/web/20140129064159/http://www.wired.com/threatlevel/2010/03/source-code-hacks/|url-status=live}}

VeriSign's iDefense Labs claimed that the attacks were perpetrated by "agents of the Chinese state or proxies thereof".{{cite web|url=https://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars|title=Researchers identify command servers behind Google attack|last=Paul|first=Ryan|date=2010-01-14|publisher=Ars Technica|access-date=17 January 2010|archive-date=2010-01-17|archive-url=https://web.archive.org/web/20100117004158/http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars?|url-status=live}}

According to a diplomatic cable from the U.S. Embassy in Beijing, a Chinese source reported that the Chinese Politburo directed the intrusion into Google's computer systems. The cable suggested that the attack was part of a coordinated campaign executed by "government operatives, public security experts and Internet outlaws recruited by the Chinese government".{{cite news |title=Cables Obtained by WikiLeaks Shine Light Into Secret Diplomatic Channels |first1=Scott |last1=Shane |first2=Andrew W. |last2=Lehren |newspaper=The New York Times |date=28 November 2010 |url=https://www.nytimes.com/2010/11/29/world/29cables.html?_r=1&hp |access-date=28 November 2010 |archive-date=6 February 2019 |archive-url=https://web.archive.org/web/20190206121251/https://www.nytimes.com/2010/11/29/world/29cables.html?_r=1&hp |url-status=live }} The report suggested that it was part of an ongoing campaign in which attackers have "broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002".{{cite news |author=Scott Shane and Andrew W. Lehren |title=Leaked Cables Offer Raw Look at U.S. Diplomacy |work=The New York Times |quote=The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, ... |date=November 28, 2010 |url=https://www.nytimes.com/2010/11/29/world/29cables.html |access-date=2010-12-26 |archive-date=2019-05-03 |archive-url=https://web.archive.org/web/20190503010101/https://www.nytimes.com/2010/11/29/world/29cables.html |url-status=live }} According to The Guardian's reporting on the leak, the attacks were "orchestrated by a senior member of the Politburo who typed his own name into the global version of the search engine and found articles criticising him personally".[https://www.theguardian.com/world/2010/nov/28/us-embassy-cable-leak-diplomacy-crisis US embassy cables leak sparks global diplomatic crisis] {{Webarchive|url=https://web.archive.org/web/20200623135555/https://www.theguardian.com/world/2010/nov/28/us-embassy-cable-leak-diplomacy-crisis |date=2020-06-23 }} The Guardian 28 November 2010

Once a victim's system was compromised, a backdoor connection that masqueraded as an SSL connection made connections to command and control servers operating in Illinois, Texas, and Taiwan, including machines that were using stolen Rackspace customer accounts. The victim's machine then began exploring the protected corporate intranet that it was a part of, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories.

The attacks were thought to have definitively ended on Jan 4 when the command and control servers were deactivated, although it is not known at this time whether or not the attackers deactivated them intentionally.{{cite magazine|url=https://www.wired.com/threatlevel/2010/01/operation-aurora/|title=Google Hack Attack Was Ultra Sophisticated, New Details Show|date=2010-01-14|magazine=Wired|access-date=23 January 2010|first=Kim|last=Zetter|archive-date=2014-03-21|archive-url=https://web.archive.org/web/20140321141553/http://www.wired.com/threatlevel/2010/01/operation-aurora|url-status=live}} However, the attacks were still occurring as of February 2010.

The German, Australian, and French governments publicly issued warnings to users of Internet Explorer after the attack, advising them to use alternative browsers at least until a fix for the security breach was made.{{cite news|url=http://tvnz.co.nz/technology-news/france-germany-warn-internet-explorer-users-3334330|title=France, Germany warn Internet Explorer users|last=One News|date=19 January 2010|publisher=TVNZ|access-date=22 January 2010|archive-date=23 April 2017|archive-url=https://web.archive.org/web/20170423233011/http://tvnz.co.nz/technology-news/france-germany-warn-internet-explorer-users-3334330|url-status=live}}{{cite news|url=https://www.independent.co.uk/life-style/gadgets-and-tech/news/why-you-should-change-your-internet-browser-and-how-to-choose-the-best-one-for-you-1872048.html|archive-url=https://web.archive.org/web/20100121045331/http://www.independent.co.uk/life-style/gadgets-and-tech/news/why-you-should-change-your-internet-browser-and-how-to-choose-the-best-one-for-you-1872048.html|url-status=dead|archive-date=January 21, 2010|title=Why you should change your internet browser and how to choose the best one for you|last=Relax News|date=18 January 2010|work=The Independent|access-date=22 January 2010 |location=London}}{{cite web|url=http://www.abc.net.au/news/stories/2010/01/19/2795684.htm|title=Govt issues IE security warning|date=19 January 2010|publisher=ABC (Australia)|access-date=27 July 2016|archive-date=23 September 2010|archive-url=https://web.archive.org/web/20100923202111/http://www.abc.net.au/news/stories/2010/01/19/2795684.htm|url-status=dead}} The German, Australian, and French governments considered all versions of Internet Explorer vulnerable or potentially vulnerable.{{cite news|url=http://www.nzherald.co.nz/world/news/article.cfm?c_id=2&objectid=10620973|title=France, Germany warn against Internet Explorer|last=NZ Herald Staff|date=19 January 2010|work=The New Zealand Herald|access-date=22 January 2010|archive-date=24 June 2020|archive-url=https://web.archive.org/web/20200624163506/https://www.nzherald.co.nz/world/news/article.cfm?c_id=2&objectid=10620973|url-status=live}}{{cite news|url=https://www.telegraph.co.uk/technology/microsoft/7011626/Germany-warns-against-using-Microsoft-Internet-Explorer.html|title=Germany warns against using Microsoft Internet Explorer|last=Govan|first=Fiona|date=18 January 2010|work=The Daily Telegraph|access-date=22 January 2010|location=London|archive-date=27 August 2019|archive-url=https://web.archive.org/web/20190827233956/https://www.telegraph.co.uk/technology/microsoft/7011626/Germany-warns-against-using-Microsoft-Internet-Explorer.html|url-status=live}}

In an advisory on January 14, 2010, Microsoft said that attackers targeting Google and other U.S. companies used software that exploits a flaw in Internet Explorer. The vulnerability affects Internet Explorer versions 6, 7, and 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4.{{cite news|url=http://news.cnet.com/8301-27080_3-10435232-245.html|title=New IE hole exploited in attacks on U.S. firms|last=Mills|first=Elinor|date=14 January 2010|publisher=CNET|access-date=22 January 2010|archive-date=24 December 2013|archive-url=https://web.archive.org/web/20131224110914/http://news.cnet.com/8301-27080_3-10435232-245.html|url-status=dead}}

The Internet Explorer exploit code used in the attack has been released into the public domain, and has been incorporated into the Metasploit Framework penetration testing program. A copy of the exploit was uploaded to Wepawet, a service for detecting and analyzing web-based malware operated by the computer security group at the University of California, Santa Barbara. "The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability", said George Kurtz, CTO of McAfee, of the attack. "The now public computer code may help cybercriminals craft attacks that use the vulnerability to compromise Windows systems".{{cite news|url=http://www.infosecurity-us.com/view/6537/internet-explorer-zeroday-code-goes-public/|title=Internet Explorer zero-day code goes public|date=18 January 2010|publisher=Infosecurity|access-date=22 January 2010|archive-date=10 September 2011|archive-url=https://web.archive.org/web/20110910125128/http://www.infosecurity-us.com/view/6537/internet-explorer-zeroday-code-goes-public/|url-status=live}}

Security company Websense said it identified "limited public use" of the unpatched IE vulnerability in attacks against users who strayed onto malicious Web sites.{{cite web|url=http://securitylabs.websense.com/content/Blogs/3530.aspx|title=Security Labs – Security News and Views – Raytheon – Forcepoint|access-date=27 July 2016|archive-date=12 September 2015|archive-url=https://web.archive.org/web/20150912174622/http://securitylabs.websense.com/content/Blogs/3530.aspx|url-status=live}} According to Websense, the attack code it spotted is the same as the exploit that went public last week.{{Clarify|date=March 2019}} "Internet Explorer users currently face a real and present danger due to the public disclosure of the vulnerability and release of attack code, increasing the possibility of widespread attacks," said George Kurtz, chief technology officer of McAfee, in a [http://siblog.mcafee.com/cto/dealing-with-%E2%80%9Coperation-aurora%E2%80%9D-related-attacks/ blog update].{{cite web|url=http://www.computerworld.com/s/article/9145721/Hackers_wield_newest_IE_exploit_in_drive_by_attacks|title=Hackers wield newest IE exploit in drive-by attacks|first=Gregg|last=Keizer|date=19 January 2010|access-date=27 July 2016|archive-date=21 September 2013|archive-url=https://web.archive.org/web/20130921182918/http://www.computerworld.com/s/article/9145721/Hackers_wield_newest_IE_exploit_in_drive_by_attacks|url-status=dead}} Confirming this speculation, Websense Security Labs identified additional sites using the exploit on January 19.{{cite web|url=http://securitylabs.websense.com/content/Blogs/3534.aspx|title=Security Labs – Security News and Views – Raytheon – Forcepoint|access-date=27 July 2016|archive-date=6 September 2015|archive-url=https://web.archive.org/web/20150906184641/http://securitylabs.websense.com/content/Blogs/3534.aspx|url-status=live}} According to reports from Ahnlab, the second URL was spread through the Instant Messenger network Misslee Messenger, a popular IM client in South Korea.

Researchers have created attack code that exploits the vulnerability in Internet Explorer 7 (IE7) and IE8—even when Microsoft's recommended defensive measure (Data Execution Prevention (DEP)) is activated.{{dubious|Protected Mode, not DEP is the defensive mechanism in IE|date=August 2013}} According to Dino Dai Zovi, a security vulnerability researcher, "even the newest IE8 isn't safe from attack if it's running on Windows XP Service Pack 2 (SP2) or earlier, or on Windows Vista RTM (release to manufacturing), the version Microsoft shipped in January 2007."{{cite news|url=http://www.computerworld.com/s/article/9145958/Researchers_up_ante_create_exploits_for_IE7_IE8?taxonomyId=17|title=Researchers up ante, create exploits for IE7, IE8|last=Keizer|first=Gregg|date=19 January 2010|publisher=Computerworld|access-date=22 January 2010|archive-date=24 January 2010|archive-url=https://web.archive.org/web/20100124082515/http://www.computerworld.com/s/article/9145958/Researchers_up_ante_create_exploits_for_IE7_IE8?taxonomyId=17|url-status=live}}

Microsoft admitted that the security flaw used had been known to them since September.Naraine, Ryan. [https://www.zdnet.com/article/microsoft-knew-of-ie-zero-day-flaw-since-last-september/ Microsoft knew of IE zero-day flaw since last September], ZDNet, January 21, 2010. Retrieved 28 January 2010. Work on an update was prioritized{{cite web|url=http://blogs.zdnet.com/security/?p=5268|title=Security – ZDNet|access-date=27 July 2016|archive-date=10 April 2010|archive-url=https://web.archive.org/web/20100410141946/http://blogs.zdnet.com/security/?p=5268|url-status=dead}} and on Thursday, January 21, 2010, Microsoft released a security patch intended to counter this weakness, the published exploits based on it and a number of other privately reported vulnerabilities.{{cite web|url=http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx|title=Microsoft Security Bulletin MS10-002 – Critical|website=Microsoft|access-date=27 July 2016|archive-date=17 August 2011|archive-url=https://web.archive.org/web/20110817234559/http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx|url-status=live}} They did not state if any of the latter had been used or published by exploiters or whether these had any particular relation to the Aurora operation, but the entire cumulative update was termed critical for most versions of Windows, including Windows 7.

Security researchers continued to investigate the attacks. HBGary, a security company, released a report in which they claimed to have found some significant markers that might help identify the code developer. The company also said that the code was Chinese language based but could not be associated specifically with any government entity.{{cite news|url=http://www.thenewnewinternet.com/2010/02/12/hunting-down-the-aurora-creator/|title=Hunting Down the Aurora Creator|date=13 February 2010|publisher=TheNewNewInternet|access-date=13 February 2010|archive-date=17 February 2010|archive-url=https://web.archive.org/web/20100217053027/http://www.thenewnewinternet.com/2010/02/12/hunting-down-the-aurora-creator/|url-status=live}}(Dead link)

On February 19, 2010, a security expert investigating the cyber-attack on Google, has claimed that the people who performed the attack were also responsible for the cyber-attacks made on several Fortune 100 companies in the past one and a half years. They have also tracked the attack back to its origin, which seems to be two Chinese schools, Shanghai Jiao Tong University and Lanxiang Vocational School.{{cite news|url=https://www.nytimes.com/2010/02/19/technology/19china.html|title=2 China Schools Said to Be Tied to Online Attacks|date=18 February 2010|work=New York Times|access-date=26 March 2010|first1=John|last1=Markoff|first2=David|last2=Barboza|archive-date=23 June 2020|archive-url=https://web.archive.org/web/20200623101118/https://www.nytimes.com/2010/02/19/technology/19china.html|url-status=live}} As highlighted by The New York Times, both of these schools have associations with the Chinese search engine Baidu, a rival of Google China.{{cite news|url=http://www.itproportal.com/2010/02/19/google-aurora-attack-originated-chinese-schools/|title=Google Aurora Attack Originated From Chinese Schools|date=19 February 2010|publisher=itproportal|access-date=19 February 2010|archive-date=12 June 2018|archive-url=https://web.archive.org/web/20180612184528/https://www.itproportal.com/2010/02/19/google-aurora-attack-originated-chinese-schools/|url-status=live}} Both Lanxiang Vocational and Jiaotong University have denied the allegation.{{cite news|url=https://www.wsj.com/articles/SB10001424052702304563104576363461062076684|title=Chefs Who Spy? Tracking Google's Hackers in China|first=James T.|last=Areddy|newspaper=Wall Street Journal|date=4 June 2011|via=www.wsj.com|access-date=8 August 2017|archive-date=21 January 2020|archive-url=https://web.archive.org/web/20200121121717/https://www.wsj.com/articles/SB10001424052702304563104576363461062076684|url-status=live}}{{cite web|url=http://en.sjtu.edu.cn/news/shanghai-dailycyber-expert-slams-spy-report/|title=Jiao Tong University - 【Shanghai Daily】Cyber expert slams "spy" report|first=Jiao Tong|last=University|website=en.sjtu.edu.cn|access-date=2013-06-26|archive-date=2019-11-29|archive-url=https://web.archive.org/web/20191129022150/http://en.sjtu.edu.cn/news/shanghai-dailycyber-expert-slams-spy-report|url-status=dead}}

In March 2010, Symantec, which was helping investigate the attack for Google, identified Shaoxing as the source of 21.3% of all (12 billion) malicious emails sent throughout the world.Sheridan, Michael, "Chinese City Is World's Hacker Hub", London Sunday Times, March 28, 2010.

On October 3, 2022, Google on YouTube released a six-episode series{{Cite web |title=HACKING GOOGLE - YouTube |url=https://www.youtube.com/playlist?list=PL590L5WQmH8dsxxz7ooJAgmijwOz0lh2H |access-date=2022-10-03 |website=www.youtube.com |archive-date=2022-10-03 |archive-url=https://web.archive.org/web/20221003121620/https://www.youtube.com/playlist?list=PL590L5WQmH8dsxxz7ooJAgmijwOz0lh2H |url-status=live }} concerning the events that occurred during Operation Aurora, with commentary from insiders who dealt with the attack, though the series' primary emphasis was to reassure the Google-using public that measures are in place to counter hacking attempts.

• Chinese intelligence activity in other countries
• Chinese Intelligence Operations in the United States
• Cyber-warfare
• Economic and Industrial Espionage
• GhostNet
• Honker Union
• Titan Rain
• Vulcanbot
• MUSCULAR (surveillance program)

{{Reflist|30em}}

• [https://www.cnet.com/news/privacy/google-china-insiders-may-have-helped-with-attack/ Google China insiders may have helped with attack] news.cnet.com
• [http://www.sporkings.com/2010/01/operation-aurora-beginning-of-the-age-of-ultra-sophisticated-hack-attacks/ Operation Aurora – Beginning Of The Age of Ultra-Sophisticated Hack Attacks!] Sporkings.com January 18, 2010
• [http://www.newsweek.com/id/232793 In Google We Trust Why the company's standoff with China might change the future of the Internet.] Rafal Rohozinski interviewed by Jessica Ramirez of Newsweek on 2010.1.29
• [http://www.sporkings.com/2010/02/recent-cyber-attacks-more-than-what-meets-the-eye/ Recent Cyber Attacks – More than what meets the eye?] Sporkings.com February 19, 2010
• [https://www.wired.com/threatlevel/2010/03/source-code-hacks/ ‘Google’ Hackers Had Ability to Alter Source Code] Wired.com March 3, 2010
• [https://www.theregister.co.uk/2010/01/26/aurora_attack_origins/ 'Aurora' code circulated for years on English sites Where's the China connection?]
• Gross, Michael Joseph, "[http://www.vanityfair.com/culture/features/2011/09/chinese-hacking-201109 Enter the Cyber-dragon]", Vanity Fair, September 2011.
• Bodmer, S., Kilger, M., Carpenter, G., & Jones, J. (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. New York: McGraw-Hill Osborne Media. {{ISBN|0-07-177249-9}}, {{ISBN|978-0-07-177249-5}}
• [https://www.youtube.com/watch?v=SLnne4itbvA The Operation Aurora Internet Explorer exploit – live!]
• [https://www.youtube.com/watch?v=jfT_GuR3blA McAfee Operation Aurora Overview]
• [https://www.youtube.com/watch?v=8Y5Vbp6qQRI Operation Aurora Explained by CNET]

{{McAfee}}

{{Hacking in the 2000s}}

{{Hacking in the 2010s}}

Aurora

Category:Cyberwarfare by China

Category:Cyberwarfare in the United States

Category:2009 controversies

Category:2009 crimes

Category:2009 in technology

Category:McAfee

Category:China–United States relations

Category:Chinese advanced persistent threat groups

Category:Google