Phishing Attackscritical

Operation Aurora: China's Spear-Phish Against Google and 34 Companies

A Chinese state-sponsored group sent a single malicious link to a Google engineer in China, triggering a breach that reached Google's source code repositories and compromised at least 34 other major corporations.

Google / 34 Companies·2010·2 min read

Background

In late 2009, a sophisticated threat actor later attributed to a Chinese group known as APT1 or Comment Crew conducted a targeted operation against technology and defence companies. Google had operations in China and employed local engineers with access to internal systems.

The Attack

Attackers sent a targeted instant message to a Google employee in China containing a link to a malicious website. The site exploited a zero-day vulnerability in Internet Explorer 6 (CVE-2010-0249) to install a backdoor. Attackers then pivoted through the network over weeks, reaching the source code management system containing Google's core codebase. Intelligence later confirmed the attackers were specifically searching for information about Chinese human rights activists. At least 34 companies were hit by the same campaign including Adobe, Juniper, and Rackspace.

Response

Google announced the breach in January 2010 in an unprecedented public blog post, naming China as the attacker. Google stopped censoring its Chinese search results and ultimately redirected google.cn to Hong Kong. The US State Department summoned the Chinese ambassador. Microsoft patched the IE zero-day within days.

Outcome

The Aurora operation was a watershed moment — the first time a major technology company publicly attributed an attack to a nation-state. Google's decision to go public, name China, and exit Chinese censorship changed the geopolitics of cyber espionage permanently. The attack demonstrated that intellectual property theft, not just intelligence gathering, was a primary objective.

Key Takeaways

  1. Nation-state attackers target employees in satellite offices who may have less security awareness
  2. Source code repositories are crown-jewel assets requiring dedicated access controls and monitoring
  3. Public attribution of nation-state attacks carries diplomatic weight — but requires courage
  4. Browser zero-days allow full system compromise from a single clicked link
spear-phishingIE zero-daynation-stateChinasource code theft

More in Phishing Attacks

2015critical

Anthem Health: 78 Million Patient Records and a Single Phishing Email

2 min readPhishing Attacks
2022high

Okta Breach: The Identity Provider That Protects Everyone Gets Compromised

2 min readPhishing Attacks
2015high

Ubiquiti Networks: $46.7 Million Wired to Hong Kong Fraudsters via Email

2 min readPhishing Attacks