Named attack · kill-chain walkthrough
Operation Aurora
China's IE zero-day campaign that named the APT era
Attributed by Symantec's 2012 'Elderwood Project' white paper and Dell SecureWorks to the Elderwood Group (G0066), a Beijing-based threat actor with suspected People's Liberation Army connections. McAfee's Dmitri Alperovitch identified the operation name 'Aurora' from a PDB file path string ('\Aurora\') embedded in the Hydraq malware binaries. No formal U.S. government indictment has been issued as of 2025.
A Chinese state-linked espionage group breached at least 34 organizations — including Google, Adobe, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, and Dow Chemical — using a previously unknown Internet Explorer use-after-free zero-day (CVE-2010-0249). Operators delivered the Hydraq remote-access trojan via spear-phishing links to a Taiwan-hosted exploit page, then exfiltrated source code and accessed Gmail accounts of Chinese human-rights activists. Google's January 12, 2010 public disclosure by Chief Legal Officer David Drummond marked the first time a major corporation publicly attributed a nation-state cyberattack — and effectively created the APT era.
scene 00 / 08
- Phase 01 · ReconnaissanceTA0043
Operators profiled targets on social media and corporate directories to craft convincing lures
- Attackers identified high-value employees at target companies — particularly engineers with access to source code repositories and activists communicating with Google's Gmail infrastructure.
- LinkedIn, corporate websites, and other open-source intelligence were used to map internal org structures and identify individuals most likely to click a link from a trusted contact.
- The social engineering chain required knowing which instant-messaging contacts each target trusted, suggesting prior reconnaissance of communication patterns.
- At least 34 organizations were ultimately targeted, spanning technology, defense, finance, and energy sectors — indicating a prioritized target list prepared before the campaign launched.
Techniques - Phase 02 · Initial AccessTA0001
A spear-phishing instant-message link delivered victims to a Taiwan-hosted exploit page that fired CVE-2010-0249
- Victims received a targeted instant message or email containing a link to a malicious website hosted on infrastructure in Taiwan; the message appeared to come from a trusted contact.
- Visiting the page in Internet Explorer 6 (the dominant enterprise browser in 2009) triggered CVE-2010-0249, a use-after-free vulnerability in IE's handling of a deleted object — allowing arbitrary code execution with no further user interaction beyond clicking the link.
- CVE-2010-0249 affected Internet Explorer 6, 7, and 8 on all then-current Windows releases; IE 6 was most heavily exploited because heap-spray mitigations in later versions were less reliable.
- The exploit page was only served to pre-selected targets; other visitors received benign content, making the infrastructure harder to detect and analyze.
- Microsoft issued an emergency out-of-band patch (MS10-002 / KB979352) on January 21, 2010 — nine days after Google's disclosure.
Techniques - Phase 03 · ExecutionTA0002
The IE exploit heap-sprayed shellcode that dropped and launched the Hydraq remote-access trojan
- Successful exploitation of CVE-2010-0249 executed shellcode via a JavaScript heap-spray, overwriting freed memory to gain control of the instruction pointer.
- The shellcode downloaded and executed Hydraq (also called Trojan.Hydraq, McRat, or 'Aurora' by different vendors), a custom Windows remote-access trojan written to closely mimic legitimate system binaries.
- Hydraq registered itself as a Windows service named 'RaS[random]' and injected into svchost.exe to blend with normal process activity.
- McAfee named the entire operation 'Aurora' after the string '\Aurora\' found in the Hydraq PDB debug-symbol file path embedded in the malware binary.
- Hydraq's obfuscated 'spaghetti code' structure was deliberately designed to complicate disassembly and reverse engineering.
TechniquesIndicators - Phase 04 · PersistenceTA0003
Hydraq survived reboots by installing itself as a Windows service and modifying registry run keys
- Hydraq created a Windows service entry (T1543.003) to survive system reboots; the service name mimicked legitimate Windows services to avoid suspicion during manual review.
- The trojan also modified registry run keys and startup folders to establish redundant persistence mechanisms, ensuring re-execution even if one pathway was removed.
- File and registry artifacts were written to system directories (e.g., %SYSTEM%) to blend with legitimate OS files and reduce visibility to users browsing the filesystem.
- Multiple backdoor implants were sometimes deployed across different hosts within the same network, providing resilience if one installation was discovered and removed.
Techniques - Phase 05 · Command & ControlTA0011
Hydraq beaconed over port 443 to C2 servers in Taiwan, Illinois, and Texas — masquerading as SSL traffic
- The Hydraq implant communicated with command-and-control servers over TCP port 443, mimicking HTTPS traffic to blend with legitimate corporate web browsing and bypass egress-filtering firewalls.
- C2 infrastructure was distributed across multiple jurisdictions — servers in Taiwan, Illinois, and Texas were identified during incident response, providing geographic redundancy and complicating takedowns.
- The C2 protocol allowed operators to issue commands for file upload/download, remote shell access, registry manipulation, screen capture, and VNC-based interactive control.
- Beaconing intervals were designed to look like routine web traffic; each implant reported back periodically and awaited operator instructions, consistent with a hands-on-keyboard espionage operation rather than automated mass exploitation.
Techniques - Phase 06 · CollectionTA0009
Operators accessed Perforce source code repositories and pivoted to Gmail accounts of Chinese human-rights activists
- At Google, attackers gained access to a Perforce source code management server and accessed repositories containing core search and infrastructure code — the primary corporate-espionage objective.
- A secondary intelligence objective targeted the Gmail accounts of known Chinese human-rights activists; attackers accessed account metadata and subject lines but did not obtain full email content, according to Google's post-incident analysis.
- At Adobe, attackers sought source code for products including Adobe Acrobat and Reader — both widely used delivery mechanisms in subsequent exploit campaigns.
- At Juniper Networks, attackers reportedly accessed source code for network operating systems, which would provide an intelligence advantage for future operations against organizations running Juniper infrastructure.
- The Hydraq RAT's file-staging and upload capabilities enabled systematic collection of documents, source files, and credentials for operator review and prioritization before exfiltration.
Techniques - Phase 07 · ExfiltrationTA0010
Staged data was transmitted over the Hydraq C2 channel to operator-controlled servers in Taiwan
- Collected source code, documents, and credentials were staged locally on compromised hosts before being transmitted to C2 servers over the port-443 encrypted channel.
- The use of HTTPS-mimicking traffic on a standard web port made automated DLP (data loss prevention) systems unlikely to flag outbound transfers as anomalous.
- Exfiltration volume and duration are not fully public; Google's disclosure confirmed that source code was accessed and some data was taken, but specifics remain classified or undisclosed.
- The operation ran undetected across most targets from approximately mid-2009 through early January 2010 — roughly six months of dwell time — before Google's internal security team identified the intrusion.
- Phase 08 · Impact & DisclosureTA0040
Google went public on January 12, 2010 — redefining how corporations respond to nation-state intrusions
- Google's Chief Legal Officer David Drummond published 'A new approach to China' on January 12, 2010 — the first time a major Western corporation publicly attributed a significant cyberattack to a nation-state, implicitly pointing at China's government.
- Google disclosed that at least 20 other large companies were also compromised; subsequent analysis by McAfee and others expanded the confirmed count to at least 34 organizations across technology, defense, finance, and energy sectors.
- The U.S. State Department summoned China's ambassador; Secretary of State Hillary Clinton called for an international norm against cyber espionage on January 21, 2010 — the same day Microsoft released MS10-002.
- Germany, Australia, and France each issued public advisories urging citizens and businesses to stop using Internet Explorer until the patch was applied.
- Symantec's 2012 'Elderwood Project' white paper revealed that the threat actor behind Aurora had subsequently deployed at least eight additional zero-days in follow-on campaigns — an unprecedented rate of zero-day consumption that suggested state-level vulnerability research resources.
- Operation Aurora is widely credited with establishing the term 'Advanced Persistent Threat' (APT) in mainstream security discourse and prompting the first wave of enterprise threat intelligence programs.
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
Adversary
- Elderwood / Beijing Group (PRC)
Capability
- T1591
- T1589.002
- T1566.002
- T1189
- T1203
- +1 more
Infrastructure
—Victim
- See narrative above
Primary sources
- A new approach to China — Google Official Blog · Google (David Drummond, Chief Legal Officer) · 2010-01-12
- Elderwood Group — G0066 · MITRE ATT&CK
- Hydraq — S0203 · MITRE ATT&CK
- CVE-2010-0249 Detail · NIST NVD · 2010-01-15
- MS10-002: Cumulative Security Update for Internet Explorer · Microsoft · 2010-01-21
- Operation Aurora — Wikipedia · Wikipedia · 2010-01-13
- Google Hack Attack Was Ultra Sophisticated, New Details Show · Wired (Kim Zetter) · 2010-01-14