The Chinese hackers who targeted Google in what was called “Operation Aurora” – which caused a huge rift between Google and the Chinese government – are back in action according to security firm Symantec.
New signs that the same hackers who compromised Google’s source code and endangered Chinese human rights activists have appeared, utilising an Adobe zero-day vulnerability in PDFs known as Adobe Reader ‘CoolType.dll’ TTF Font Remote Code Execution Vulnerability.
This type of attack means that anyone who downloads the exploited PDF file will find a downloader DLL in their Temp folder, which subsequently downloads additional malware. It effectively bypasses the need to run an executable file, making it a much bigger threat, since most people are cagey about .exe files, but not about .pdf files.
Symantec pointed out a number of similarities between this attack and the Aurora one on Google, Adobe, Yahoo, and a number of other big names, including Symantec itself.
It caught a number of socially engineered emails being sent out that are written in a very similar style to those used to load up the Hydraq trojan in the Aurora attacks and said that this confirms its suspicions that those hackers did not simply fade away, but still in operation.
This spells bad news for the net. Insecurity experts agreed that Aurora was one of the most elaborate and sophisticated of its type in history. McAfee, now owned by Intel, said: “We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack. It’s totally changing the threat model.”
Google reported the attacks in January of this year, revealing that between the middle and end of 2009 it was subject to a large-scale attack which primarily employed a previously unknown vulnerability in Internet Explorer as well as another in source code revision software Perforce.
The attacks led to a bitter exchange between Google and the Chinese government, where Google accused Beijing of being behind the attacks, which were allegedly aimed at spying on human rights activists and stealing Google’s source code.
It strained their relationships so much that Google gave China an ultimatum: allow an uncensored version of Google’s search engine or watch the company close up shop there for good. After months of holding ground they eventually reached a compromise, allowing a censored version of Google to link to an uncensored one.
Google employed Symantec as part of its investigations into the Aurora attack, so news from them that the hackers are still at large and potentially planning another big attack is very worrying indeed.
Update- Typo fixed. Hi Reddit!