Operation Aurora
China reached into Google's source-code repository looking for the accounts of dissidents. Google reached back by leaving the country.
In January 2010, Google did something no major Western technology company had done before. It published a blog post, signed by its chief legal officer, disclosing that it had been the target of a sophisticated intrusion originating from China, and that it would no longer cooperate with state-mandated censorship on Google.cn.
What the attackers wanted
The intrusion was eventually labeled Operation Aurora — a name derived from a string found in the malware's debug paths. Investigators traced it to a campaign that had touched at least thirty other major technology firms, including Adobe, Juniper, Rackspace, and others who did not publicly confirm.
What made the operation alarming was its target inside Google. The attackers were not after consumer data in bulk. They were specifically interested in the account information of Chinese human rights activists and in the systems Google used to respond to US law enforcement requests — a window onto which dissidents were under surveillance.
A new kind of attribution
Aurora marked one of the first times a major American company publicly named a foreign government as its attacker. It also drove the popularization of a term of art that has not stopped expanding since: advanced persistent threat.
What the chronicle remembers
Aurora reset the conversation about corporate cyber-defense. Threat models that had been built around criminals and disgruntled insiders had to make room for patient, well-funded state actors with strategic objectives. Every modern corporate security organization that talks about APTs is, in a real sense, working from a frame the Google disclosure handed it.