‘Aurora’ Cyber Attackers Were Really Running Counter-Intelligence

NATIONAL HARBOR, Md. — Some of the hackers involved in the infamous Aurora attacks executed from China against dozens of major American companies were believed to be running a counter-intelligence operation probing whether the U.S. government had uncovered the identity of clandestine agents operating in the United States, according to Dave Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments.

Aucsmith, speaking last week at a government IT conference Microsoft hosted here at this Washington suburb, outlined a starkly different version of the attacks than the assessment that Google offered in the bombshell revelation it made in January 2010.

Google had said that the attackers were trying to infiltrate the Gmail accounts of Chinese human rights advocates, describing “a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.”

The view from Redmond was different.

Aucsmith does not challenge Google’s description of the attacks, but says that Microsoft’s analysis concluded that the hackers seeking to infiltrate its systems were apparently working under a motivation that had little if anything to do with the issues of human rights and repression widely associated with the Aurora operation.

“I believe it is fundamentally impossible to stop an attack for which you have never, ever conceived of. But I believe it may be in my power to find that first attack very quickly and then make everything else immune” –Dave Aucsmith

Microsoft’s Institute for Advanced Technology in Governments

Instead, the attack on Microsoft looked to be a reconnaissance mission hackers were conducting to determine what type of surveillance U.S. authorities were conducting on undercover operatives through records obtained from the software giant via court orders.

“What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,” Aucsmith says. “So if you think about this, this is brilliant counter-intelligence. You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that’s difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That’s essentially what we think they were trolling for, at least in our case.”

An A-team of Cyber Criminals

Aucsmith describes that attack as coming from an elite, “A-team” of hackers, highlighting the nexus between business and government in the cyber realm and the reality that highly motivated (and potentially state-sponsored) hackers potentially will direct their most sophisticated attacks at private-sector operators when they are searching for national-security information.

“We don’t get a free pass just because we’re not a government,” he says.

One lesson to draw is that while there may be no such thing as perfect security in the Internet age, government agencies and enterprises can help their cause by making their IT operations moving targets. Aucsmith outlines a vision for adaptive cybersecurity through which the insights gleaned from vigilant intelligence gathering would be used to continually update systems and rapidly shut down new threat vectors upon discovery.

“I believe it is fundamentally impossible to stop an attack for which you have never, ever conceived of,” Aucsmith says.

“I think the best we can hope for is that the systems we build are as good as they can be, and as they sit there and do their job, and we learn more about our adversaries’ behavior, we constantly change and update that. We maneuver the system so that it remains immune to further attacks,” he adds.

“So in essence, I don’t think I can stop the very first attack of a kind I’ve never considered, but I believe it may be in my power to find that first attack very quickly and then make everything else immune so that I change the economics of cyber attacks and make it economically infeasible to spend a lot of effort trying to find those vulnerabilities,” Aucsmith says.

The challenges of cyber defense are of course amplified by the growing number and variety of attacks and attackers. Aucsmith describes the threats as generally falling into the categories of criminal activity, espionage and warfare, with the last existing still more in theory than practice.

“We see very, very little warfare, fortunately,” he says, allowing that Russia’s cyber attacks against Estonia and Georgia in 2007 and 2008, respectively, and the Stuxnet assault on Iran’s nuclear program, count as possible exceptions.

Hackers More Dangerous When Backed By Foreign Governments

Whether or not an attack rises to the level of an act of war, espionage and crime are serious enough, and become all the more so in the face of determined hackers who could be operating with the backing of a foreign government. Such incidents can serve as reminders of the determination and resourcefulness of hackers, whether their motivations are political or criminal.

Accepting that absolute security is an unattainable goal, and that it isn’t even realistic to try to keep pace with hackers–let alone a step ahead–Aucsmith urges IT security workers to ensure that their systems are as dynamic as possible, narrowing the window for potential attacks and, in the process, making it more costly for the adversaries. For administrators, that means promptly deploying the patches that vendors issue, such as those that Microsoft pushes out on the second Tuesday of every month.

Security threats have also fundamentally reoriented Microsoft’s business operations, dating to a 2002 company-wide directive from then-CEO Bill Gates, who let it be known that in the security wars, “we were losing,” Aucsmith says.

That memo gave rise to Microsoft’s Trustworthy Computing initiative, which has elevated secure coding as a top company priority, but also set in motion what Aucsmith describes as an in-house intelligence operation rooted in the acknowledgement that the firm didn’t have a good sense of who was attacking their systems, what they were after and how they were operating.

Now, more than 10 years later, Microsoft is more convinced than ever that there is no end to the threats that emerge from unexpected system exploits, and that there is no room for complacency in cybersecurity.

“As long as I have an adversary spending his treasure … nothing static will remain secure — that’s the nature of arms races,” Aucsmith says. “It is a guarantee that the system will be found vulnerable. So I think to a large extent we have to stop fooling ourselves that we actually can create completely secure systems. We certainly need to create the best system we can, but that system cannot remain static. It has to change, morph, grow over time, as we learn about our adversaries’ behavior.”

Editor’s Note

After our report from Microsoft’s government IT conference appeared, Dave Aucsmith offered this letter to the editor in which he elaborates on the statements he made at the April event:

Since this article refers to my presentation at a conference, I would like to clarify. I was referring to statements in the media from the January 2010 timeframe. My comments were not meant to cite any specific Microsoft analysis or findings about motive or attacks, but I recognize that my language was imprecise. What I should have said was, “According to what I’ve read concerning the so-called Aurora attack (e.g. this 2010 CNN article), industry investigators found that the point of entry was a backdoor access system created by Google in order to comply with government search warrants on user data.” I apologize that my comments were not clear. –Dave Aucsmith, Senior Director

Microsoft’s Institute for Advanced Technology

CIO.com stands by its reporting.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.