Threat Intelligence Tarot
wands · 14
China (PLA Unit 61398 adjacent)
G0073★★★★★
risk 4/5
✦ The Breach of Trust ✦
Operation Aurora
Aurora operators · APT17 (Google campaign) · Elderwood Group
GoogleAdobeIntelMorgan Stanley30+ major corporations
Active ~2009–2010 (campaign period) · Google source code theft, Dissident surveillance, Defense contractor IP theft
It breached Google and read the Gmail of Chinese human rights activists. It stole source code from Adobe, Intel, and two dozen other companies. When Google disclosed it - a company, not a government, going public with an intrusion by a nation-state - it changed what was considered possible to say.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Google breach - source code and Gmail accounts of Chinese dissidents (2009)
- ◆30+ major technology and defense companies compromised
- ◆IE zero-day (CVE-2010-0249) exploitation at scale
- ◆Led Google to reconsider China operations and harden security globally
Defenses
- ▸Browser hardening and Internet Explorer isolation or removalCIS Control 2 ↗
- ▸Email security for activist and high-risk user accountsNIST CSF: PR.AT ↗
- ▸Source code repository access controls and monitoringCIS Control 6 ↗
- ▸Corporate incident disclosure policy and legal frameworkNIST CSF: RS.CO ↗
Reversed: Their Weakness
Operation Aurora's disclosure by Google was a watershed: a technology company naming a nation-state attacker in a public statement was unprecedented. That decision, and the corporate hardening it prompted industry-wide, represents Aurora's unintended greatest impact.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.