Zero-day-loving Google hackers furiously active in last three years

The hackers behind the Aurora attacks that were discovered targeting Google, Adobe and other big U.S. companies in 2009 have seemingly been working hard ever since.

Symantec has released today a research paper that details a three years’ worth of attacks that can all be tracked back to a single large group – the very group behind those aforementioned attacks – that continuously uses components of an infrastructure the researchers have dubbed the “Elderwood platform” after a parameter used in the attack codes.

The Elderwood gang is primarily interested in gathering and stealing intelligence (trade secrets, contacts, infrastructure details, intelligence for future attacks) and intellectual property (designs and plans) from an ever-increasing number of companies mostly located in the United States.

These companies are usually defense supply chain manufacturers, human rights and non-governmental organizations, and IT service providers.

The gang rarely – if ever – goes after defense contractors, because it assumes their cyber defenses are more efficient that those set up by manufacturers that supply electronic or mechanical components to them.

“The attackers may use the manufacturers as a stepping stone to gain access to top-tier defense contractors, or obtain intellectual property used in the production of parts that make up larger products produced by a top-tier defense company,” the researchers explained in the paper.

Even companies in the Finance, Energy (Oil/Gas), Education, and Government sectors have not been spared.

Non-governmental organizations (NGOs) are secondary targets, and the group includes mostly human rights organization in Taiwan, Hong Kong and China.

But the thing that makes the Elderwood gang really stand out from other players in the cyber espionage field is that they seemingly have an inexhaustible supply of zero-day exploits at their disposal – they have used eight in the last three years.

“Although there are other attackers utilizing zero-day exploits (for example, the Sykipot or Nitro, or even Stuxnet), we have seen no other group use so many,” the researchers say. “The number of zero-day exploits used indicates access to a high level of technical capability.”

“In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications. This effort would be substantially reduced if they had access to source code,” they pointed out.

This last theory sounds be the most likely, as the gang has hit a number of software companies in the last year. As mentioned before, Adobe has been hit around the same time as Google, and it seems probable that the attackers are the same ones, i.e. the Elderwood gang.

It’s possible that they got their hands on source code for Adobe’s products, and have managed to reverse-engineer them and have, therefore, an easier time finding out zero-day vulnerabilities in them.

The researchers also believe that the gang consists of specific teams.

“Technically skilled hackers (researchers) create exploits, document creation kits, re-usable trigger code, and compromise websites, and these are then made available to less technical attackers. These attackers (attack operators) are likely responsible for identifying targets and delivering the attack payload using the tools and infrastructure provided to them,” they speculate.

“Once a target has been compromised, the less skilled attack operators can then proceed to move through the compromised network, identifying data of interest. The level of technical skill required to move through a compromised network is much lower than that required to establish the initial penetration.”

All the exploits used so far targeted two of the most popular applications out there: Microsoft Internet Explorer and Adobe Flash Player.

Once the exploit compromises the targeted computer, a backdoor or a dropper Trojan (including the Hydraq/Aurora Trojan that has been used in the attack against Google) is delivered and set up on it, allowing the attackers stealthy and continuous access, or the ability to download other malware on the machine.

The Elderwood gang uses two primary attack vectors: spear phishing emails sent to specific targets, and so-called watering hole attacks – the compromise of websites targets are likely to visit and equipping them with iframes pointing to a server hosting exploits for the zero-days.

The former had been prevalently used until March 2010, when the latter seemed to become the more favored approach, as it allowed attackers to target more victims and gather more data.

The sheer number of attacks, the skill-set wielded by the attackers and the choice of targets all seem to point to a nation state, or a group backed by a nation state, although it is also possible that a large and well-founded criminal gang might be behind the attacks.

The Elderwood platform that the researchers talk about consists of a number of re-usable components such as a document creation kit, a shared SWF file, and other likely tools such as those for the automated creation of accounts on Web-based email services, registration of domain names, etc. (click on the screenshot to enlarge it):


The continuous reuse of these components was, among other things, what allowed the researchers to tie these attacks together and to the gang.

“Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners, and associated companies, as they may have been compromised and used as a stepping-stone to the true intended target,” the researchers warn.

“Companies and individuals should prepare themselves for a new round of attacks in 2013. This is particularly the case for companies who have been compromised in the past and managed to evict the attackers. The knowledge that the attackers gained in their previous compromise will assist them in any future attacks.”

Don't miss