McAfee Offers Guidance for “Operation Aurora”

January 18, 2010

McAfee released guidance to help organizations determine if they were targeted in the same sophisticated cyberattack that hit a growing list of companies, including Google. The high profile cyberattack, linked to China by Google, targeted valuable intellectual property.

“This is the largest and most sophisticated cyberattack we have seen in years targeted at specific corporations,” said McAfee Worldwide Chief Technology Officer George Kurtz. “It is a watershed moment in cybersecurity because of the targeted and coordinated nature of the attack. As a result, the world has changed; organizations globally will have to change their threat models to account for this new class of highly sophisticated attack that goes after high value intellectual property.”

As part of the fallout of the attack, Windows users currently face a real and present danger due to the public disclosure of a serious vulnerability in Internet Explorer. McAfee was the first to discover and announce that an Internet Explorer vulnerability was a key vector in the attack on Google and others. Unfortunately, the risk has been compounded because the attack code that exploits this Internet Explorer vulnerability has now been posted in the public domain, increasing the possibility of widespread attacks. McAfee technologies provide protection against current threats related to the attack on Google and others.

How to know if your organization was compromised

Over 30 organizations have reportedly been targeted by the same attack that hit Google and the list of victims continues to grow. McAfee calls the cyberheist “Operation Aurora” and provided detailed guidance to help organizations determine if they were impacted by the attack, which occurred over the December holidays and into early January.

McAfee’s guidance involves two steps:

1) If you are a McAfee customer, verify that you are using the latest threat definition files and perform a full scan on all machines within your enterprise.

2) Inspect network traffic history for communication with external systems associated with the attack.

3) Examine computers for specific files or file attributes related to the attack.

Detailed guidance is available on the McAfee Web site at http://www.mcafee.com/operationaurora

How to protect against the Internet Explorer vulnerability

McAfee products protect against attacks that may use the now publicly available exploit to attempt to attack Internet Explorer users and the malware used in the attack on Google and others:

1. McAfee consumer and enterprise PC security products provide protection against the malicious computer programs used to target Google and others through the threat definition files released on January 11 and through the McAfee real-time, cloud-based Global Threat Intelligence. Current customers should ensure the latest definition files are installed and that cloud detection is enabled. McAfee consumer security products are available online.

2. McAfee Network Security Platform detects attacks that use the Internet Explorer zero-day exploit through the threat definition files released on January 15. Users of the McAfee Network Security Platform should ensure the latest definition files are installed.

3. McAfee Web Gateway and McAfee Firewall Enterprise provide powerful Web security technology to filter malicious traffic on the network. Users of either of these McAfee products should ensure that outbound Web security capabilities are enabled and malware scanning within the firewall is based on the latest signatures and associated rules.