Operation Aurora hack was counterespionage, not China picking on Tibetan activists

Google and ChinaIt turns out that the Operation Aurora attackers weren’t just Chinese-sponsored hackers bent on messing with Tibetan activists, as Google originally portrayed them in disclosing the 2010 hacking of Google and other companies.

Rather, the Aurora hackers are said to have grabbed a much bigger prize: access to Google accounts for which there were US court-ordered wiretaps.

CIO.com first reported on the revelation, made by David W. Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, at a conference.

According to Aucsmith, Aurora was in fact a Chinese counterintelligence operation that sought to discover if the US had uncovered the identity of clandestine agents operating within its borders.

His remarks, from CIO’s transcription of his conference address:

"If you think about this, this is brilliant counterintelligence... You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that’s difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That’s essentially what we think they were trolling for, at least in our case."

Aucsmith has no argument against Google’s analysis of the attack having originated in China, per se.

But, he says, Microsoft’s analysis has determined that the hackers who tried to breach its systems apparently weren’t motivated, at least not primarily, with the issues of human rights and repression that Google and others attributed to the Aurora operation:

"What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on."

The Washington Post subsequently reported that, according to current and former government officials, the hackers who breached Google’s servers accessed a database with years worth of information about US surveillance targets.

The Washington Post quoted one former official who spoke, on the condition of anonymity, of the attackers’ rationale in going after suspects’ email accounts:

"Knowing that you were subjects of an investigation allows them to take steps to destroy information, get people out of the country."

In addition, he told the Post, the Chinese might have used the information to dupe US intelligence by feeding them false or misleading information.

All told, the Operation Aurora attacks reportedly targeted at least 34 companies, including Adobe, Juniper, Rackspace, Symantec, Northrop Grumman, Morgan Stanley and Yahoo.

After Google determined that hackers had penetrated Gmail accounts of Chinese human rights advocates in the United States, Europe and China, it threatened to shut down its operations in China.

FBIAccording to the Washington Post, Google didn’t publicly disclose the surveillance database breach but did alert the FBI soon after discovering it.

An FBI cyberespionage agent visited Google’s Mountain View, California headquarters to conduct an investigation that would determine if and how national security had been affected, but Google denied him access, given the FBI’s failure to provide guarantees about the scope of its investigation.

The Post reports that the FBI then conducted “an extensive assessment” that included figuring out if those under surveillance had shifted off of Gmail and onto alternative means of communication.

National security, it turns out, hadn’t been damaged due to the breach. Google beefed up its shielding of sensitive data nonetheless.

The Post quotes Michael M. DuBose, former chief of the Justice Department’s Computer Crime and Intellectual Property Section, who called successful breaches such as Aurora “a wake-up call” about how the security and effectiveness of surveillance depends to a great degree on security standards in the private sector:

"Those clearly need strengthening."

He’s right.

Microsoft, for its part, suffered some grief after an Internet Explorer flaw (which it had known about four months before the Aurora attacks) was blamed for being exploited in the hacks.

As it is, the Aurora gang was reportedly still active as of September 2012, nearly three years after Google disclosed the hack.

Let’s hope that security standards in the private sector do get attended to in all haste, lest the security of both public and private life suffer severe blows.