Anatomy of a Breach

Anatomy of a Breach: Operation Aurora — When China Hacked Google

> series: anatomy_of_a_breach —— part: 013 —— target: google_and_34_companies —— attacker: elderwood_group_pla —— method: ie_zero_day<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2010 14 min read
data-breach operation-aurora apt china google nation-state zero-day cyber-espionage series
Breach #013

The attack that made Google leave China.

On 12 January 2010, Google published a blog post titled 'A new approach to China' that sent shockwaves through the technology industry and the diplomatic world. Google disclosed that it had been the victim of a 'highly sophisticated and targeted attack on our corporate infrastructure originating from China' — an attack that resulted in the theft of intellectual property, including source code, and the compromise of Gmail accounts belonging to Chinese human rights activists. Within hours, Adobe confirmed that it had been hit by the same attack. In the days that followed, the list of victims grew to include Yahoo, Symantec, Juniper Networks, Northrop Grumman, Morgan Stanley, Dow Chemical, and at least 28 other major companies.

The attack, which security firm McAfee dubbed 'Operation Aurora' after a file path found in the malware, was attributed to the Elderwood Group, a threat actor with ties to the Chinese People's Liberation Army. It exploited a zero-day vulnerability in Internet Explorer (CVE-2010-0249) and demonstrated a level of sophistication that Dmitri Alperovitch of McAfee described as unprecedented outside the defence industry: 'We have never ever, outside of the defence industry, seen commercial industrial companies come under that level of sophisticated attack. It's totally changing the threat model.'

The Attack
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

How Aurora compromised 34 companies.

Operation Aurora began in mid-2009 and continued through December 2009. The attackers used carefully crafted spear-phishing emails to target specific employees at each victim company. The emails contained links to malicious websites that exploited the IE zero-day vulnerability — a flaw in how Internet Explorer handled certain JavaScript objects in memory — to achieve arbitrary code execution on the victim's machine. Once inside, the attackers deployed the Hydraq backdoor trojan, which provided persistent remote access, encrypted communications with command-and-control servers, and the ability to exfiltrate data.

Operation Aurora — Kill Chain
── Reconnaissance ─────────────────────────────────────────
Identify target employees at 34+ companies
Profile targets for spear-phishing content

── Initial Access ──────────────────────────────────────────
Spear-phishing emails with links to malicious sites
IE zero-day exploit (CVE-2010-0249) triggers on visit
Hydraq backdoor trojan deployed silently

── Persistence & Lateral Movement ─────────────────────────
Encrypted C2 communications established
Privilege escalation within corporate networks
Multiple layers of encryption to conceal activity

── Exfiltration ────────────────────────────────────────────
Source code repositories targeted (Google, Adobe)
Gmail accounts of human rights activists accessed
Intellectual property stolen across 34+ companies
Data exfiltrated via encrypted channels to China
Why This Matters

The threat model changed permanently.

Nation-State Attacks Went Commercial
Before Aurora, state-sponsored cyber espionage was considered primarily a defence and intelligence concern. Aurora proved that nation-state threat actors target commercial companies — technology firms, chemical manufacturers, financial institutions — for intellectual property and strategic intelligence. Every company with valuable IP became a potential target. Our <a href="/blog/sector-under-the-microscope-defence-supply-chain">defence supply chain analysis</a> and <a href="/blog/apt1-the-persistent-data-hoarder">APT profiles</a> examine this threat in depth.
Zero-Day Exploitation at Scale
The Elderwood Group deployed a previously unknown IE vulnerability against 34 companies simultaneously. After Aurora, the same group was linked to seven further campaigns using different zero-day exploits — potentially developed from source code stolen during Aurora itself. This demonstrated that zero-day exploitation was not a one-off capability but an ongoing operational tool for advanced threat actors.
Google's Response Set a Precedent
Google's decision to publicly disclose the attack, name China as the likely origin, and ultimately withdraw from the Chinese market was unprecedented. Most companies that suffered state-sponsored attacks stayed silent. Google's transparency set a new standard for breach disclosure and forced a public conversation about the intersection of cybersecurity, human rights, and foreign policy.
BeyondCorp and Zero Trust
In direct response to Aurora, Google developed its <a href="https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/">BeyondCorp zero-trust architecture</a> — eliminating the traditional network perimeter and requiring authentication and authorisation for every access request regardless of location. This architectural shift, born from the Aurora breach, has become the dominant security model of the 2020s.
What Testing Addresses

Defending against APT-level threats.

Operation Aurora was a nation-state attack using zero-day exploits — the most difficult threat to defend against. But the kill chain still relied on standard attack phases that security testing can address: the initial phishing email, the exploitation of a browser vulnerability, the lateral movement through the corporate network, and the exfiltration of data. Our red team engagements simulate APT-style attacks — including spear-phishing, zero-day simulation, lateral movement, and data exfiltration — to test whether your organisation's detection and response capabilities would identify an Aurora-style intrusion.

For continuous monitoring that detects the persistent, encrypted, low-and-slow command-and-control communications that APT groups use, SOC in a Box provides 24/7 behavioural detection — not just signature matching. Our infrastructure testing validates network segmentation and privilege separation that limits lateral movement. And Cyber Essentials — while not designed to stop nation-state attacks — establishes the baseline controls (patching, access control, secure configuration) that reduce the attack surface APT groups exploit. For incident response when a sophisticated intrusion is detected, UK Cyber Defence provides the forensic expertise to investigate, contain, and attribute.

APT-Level Defence

If Google can be hacked, so can you. Test your defences.

Our <a href="/penetration-testing/red-team">red team engagements</a> simulate the techniques that nation-state groups like the Elderwood Group use — from spear-phishing to lateral movement to data exfiltration. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that detects APT-style intrusions. Because the lesson of Operation Aurora is clear: if 34 of the world's largest companies can be compromised simultaneously, no organisation is too large — or too small — to be targeted.

Commission a Red Team Engagement Next: Mariposa Botnet
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 August 2011

Anatomy of a Breach: Operation Shady RAT — Five Years of State-Sponsored Espionage Against 72 Organisations

Breach #032. In August 2011, McAfee published research revealing 'Operation Shady RAT' — a five-year campaign of state-sponsored cyber espionage that had compromised 72 organisations across 14 countries, including the United Nations, the International Olympic Committee, defence contractors, and government agencies. The campaign, attributed to China, had operated undetected since 2006. The report demonstrated that the Aurora and Stuxnet-era threats were not isolated incidents but symptoms of a sustained, global espionage campaign.

apt operation-shady-rat
12 min read
Anatomy of a Breach 31 July 2025

Anatomy of a Breach: Microsoft SharePoint — Zero-Day Exploited by Three Chinese Groups, 400+ Organisations Compromised Including NNSA

Breach #199. In July 2025, it was revealed that a zero-day vulnerability in Microsoft SharePoint had been exploited by three Chinese state-linked hacking groups to compromise over 400 organisations worldwide — including the US National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining the US nuclear weapons stockpile. The vulnerability enabled remote code execution against self-hosted SharePoint servers. Thousands of vulnerable servers remained online even after the vulnerability was disclosed. The breach demonstrated the extraordinary risk of centralising sensitive data in a single collaboration platform — especially when that platform is targeted by nation-state adversaries.

microsoft-sharepoint zero-day
14 min read
Anatomy of a Breach 31 July 2018

Anatomy of a Breach: SingHealth — 1.5 Million Patients Including a Prime Minister Targeted by Nation-State Attackers

Breach #115. In July 2018, Singapore disclosed that its largest healthcare group — SingHealth — had been breached by a sophisticated threat actor, compromising the personal data of 1.5 million patients and the outpatient prescription data of 160,000 patients — including Prime Minister Lee Hsien Loong, who appeared to have been specifically targeted. The attack, attributed to a nation-state actor, exploited vulnerabilities in SingHealth's IT infrastructure over a period of months. The breach confirmed that healthcare systems worldwide are APT targets — not just for data theft but for intelligence on political leaders.

data-breach singhealth
12 min read
All Posts Get in Touch