Sleuths Trace New Zero-Day Attacks to Hackers Who Hit Google

Graphic showing how the Elderwood gang conducts its attacks. Image: Courtesy of Symantec

It’s been more than two years since Google broke corporate protocol by revealing that it had been the victim of a persistent and sophisticated hack, traced to intruders in China that the company all but said were working for the government.

And it turns out the hacker gang that hit the search giant hasn’t been resting on its reputation; it’s been busy targeting other companies and organizations, using some of the same methods of attack, as well as a remarkable menu of valuable zero-day vulnerabilities. The attackers used at least eight zero-days in the last three years, including ones that targeted the ubiquitous software plugin Flash and Microsoft’s popular IE browser.

Researchers at Symantec traced the group’s work after finding a number of similarities between the Google attack code and methods and those used against other companies and organizations over the last few years.

The researchers, who describe their findings in a report published Friday, say the gang — which they have dubbed the “Elderwood gang” based on the name of a parameter used in the attack codes — appears to have breached more than 1,000 computers in companies spread throughout several sectors – including defense, shipping, oil and gas, financial, technology and ISPs. The group has also targeted non-governmental organizations, particularly ones connected to human rights activities related to Tibet and China.

The majority of the victims have been in the U.S., with the attacks focused on gathering intelligence and stealing intellectual property – such as product design documents and trade secrets, infrastructure details and information about contacts. Many of the attacks have involved supply-chain companies that provide services or electronic and mechanical parts to targeted industries. Symantec says it appears the attackers have used victims in the supply-chain as stepping-stones to breach companies they’re really targeting.

In some cases the gang used spear-phishing attacks to infect their targets through an exploit embedded in an a-mail attachment or through a link to a malicious web site; but they have increasingly used another technique that involves breaching web sites that cater to a particular audience that they want to target — such as an aeronautical web site catering to workers in the defense industry — and injecting an exploit into web pages, waiting for victims to visit the pages and be infected.

In these so-called “watering hole” attacks – named for their similarity to a lion waiting for unsuspecting prey to arrive at a watering hole – an invisible iframe on the web site causes victim computers to contact a server and silently download a backdoor Trojan that gives the attackers control over the victim’s machine.

Symantec believes the gang involves several teams of varying skills and duties. One team of highly skilled programmers is likely tasked with finding zero-day vulnerabilities, writing exploits, crafting re-usable platform tools, and infecting web sites; while a less skilled team is involved with identifying targets based on various goals — stealing design documents for a military product or tracking the activities of human rights activists — and sending out the spear-phishing attacks. A third team is likely tasked with reviewing and analyzing the intelligence and intellectual property stolen from victims.

Graphic showing how so-called “watering hole” attacks work. Courtesy of Symantec

Eric Chien, senior technical director for Symantec Security Response, says the attackers appeared to operate in waves – going after groups of targets aggressively for three months at a time or so, then going quiet for a while before the next wave of attacks. He speculates that they may be spending the quiet time sifting through and analyzing documents and data they’ve stolen before collecting more from new targets.

The most remarkable thing about the attackers, however, is the number of zero-day vulnerabilities they have burned through in the last three years, which, Symantec says, suggests that they may have access to source code for the popular applications they’re exploiting or may have so thoroughly reverse-engineered the applications that they have a ready supply of valuable vulnerabilities waiting to be exploited, as needed.

“It takes a huge number of people a lot of time to thoroughly reverse-engineer those applications,” Chien says, “or, they potentially have a jumpstart if they have source code.”