Operation Aurora - Searching for Stars, Finding Comets

When the ‘Operation Aurora, AKA trojan.hydraq’ controversy surfaced, we investigated the role, if any, of fast-flux botnets in the reputed exfiltration attacks from Chinese-supported actors against 33 US technology companies. Our preliminary results using FastFluxMonitor found no direct indication of fast-flux activity associated with the reported domain names. But just as astronomers may detect comets when observing stars, we did find associations between nameservers with fast-flux history and some of the domains and IPs involved in the attacks. In the FastFluxMonitor table below, we see that three of the reported domains used in these attacks share the same nameserver, ns1.3322.net, which is registered to Chinese network operator, CHINANET, ASN 4134, the leading ASN worldwide in terms of Conficker activity. domains-table-feb-11

Building on this finding, we then used FastFluxMonitor to discover more than 600 bots associated with fast-flux behavior registered to this ASN. In the FastFluxMonitor table below, we see that a few of the nameservers associated with a known-spamming IP from this ASN, 60.191.221.123, are classified as fast-flux. While the IP in question is not classified as fast-flux, its association with nameservers that are fast-flux is reason for suspicion.

nameserver-table-feb-1

With guilt-by-association, domain names or IPs associated with these nameservers are suspicious, irrespective of whether the individual IPs or domains are classified as fast-flux. Cyber-defenders can apply this intelligence as a proactive measure to filter access to or from these domains, IPs, and nameservers. As exfiltration attacks are often complex attacks preceded by social engineering probes such as spear-phishing, proactive measures such as real-time filtering are essential. Perimeter and vulnerability-based defenses are necessary, but insufficient, measures against social engineering attacks.

News Scan – Cyber Security

  • “… unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.” – “In Digital Combat, U.S. Finds No Easy Deterrent”, NY Times, Jan 26, 2010
  • ‘Had this attack employed more sophisticated hosting or resolution techniques like fast flux, even the IP addresses would have been useless..” – “Finding Aurora (googlehack)”, NetWitness Blog, Jan 15, 2010