11:07 AM

Google Aurora Attackers Still On Loose, Symantec Says

Gang that attacked Google in 2009 has continued operating, stealing sensitive data via zero-day attacks and compromising target companies' business partners.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Whatever happened to the group of attackers that successfully hacked into Google in 2009?

That attack, first disclosed by Google in January 2010 and later dubbed "Operation Aurora"--for the Aurora (a.k.a. Hydraq) Trojan horse application used--was described at the time by Google as "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google." The attack became the basis for what's now generally referred to as the advanced persistent threat (APT), meaning an exploit that's been launched by a technologically astute as well as patient attacker.

Three years later, it turns out that the gang behind the Aurora attacks is still at large, and apparently more technologically advanced than ever. That revelation comes via Symantec, which Friday released a report on the gang and its attack campaigns, which Symantec has dubbed the "Elderwood Project." Elderwood refers to the infrastructure that the gang uses--and to speed up their attacks, largely reuses--to rapidly integrate new zero-day exploits and launch attacks.

One of the major findings from Symantec's report, which notably doesn't mention China or ascribe a geographical location to the origin of the attacks, is that although the gang might still be compromising targets via spear-phishing attacks as it did with Google, it also has begun using what Symantec has dubbed "watering hole" attacks. This means the gang compromises sites that it believes its targets will visit, in advance of their doing so.

[ Read 8 Lessons From Nortel's 10-Year Security Breach. ]

"The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him," according to blog post from Symantec Security Response. In the case of the Aurora gang, this approach involves exploiting the target site, and then attempting to compromise and automatically install a Trojan backdoor application on every PC that visits the site. Symantec said it's seen up to three different zero-day attacks being used in a 30-day period in related attacks.

As that suggests, the attackers seem to have access to top-notch information security expertise. "The group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent," said Symantec. In other words, the attackers aren't stingy.

"Serious zero-day vulnerabilities, which are exploited in the wild and affect a widely used piece of software, are relatively rare; there were approximately eight in 2011," said Symantec. But just in the past few months, the gang has exploited a record four different zero-day vulnerabilities in its attacks. "Although there are other attackers utilizing zero-day exploits (for example, the Sykipot, Nitro, or even Stuxnet attacks), we have seen no other group use so many," the company said.

The most recently used zero-day attacks targeted two previously unknown flaws in Adobe Flash Player, one in Internet Explorer, and one in Microsoft XML Core Services. All of the exploits can be used to remotely execute code on infected systems. "In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications," said Symantec. "This effort would be substantially reduced if they had access to source code."

Who's most at risk of attack by this gang? Symantec said that to date, defense contractors "who manufacture electronic or mechanical components that are sold to top-tier defense companies" are the principle victims. In other words, businesses outside of that sector shouldn't have to worry about being directly attacked by this particular gang.

But for any businesses in the defense sector, or which works with the defense sector, watch out, and especially for business partners with a weak information security posture. That's because the gang has no qualms about compromising the systems of one of its target's business partners, and then using that business partner's systems to attack and exploit the actual target.

"The attackers do so expecting weaker security postures in these lower tier organizations and might use these manufacturers as a stepping-stone to gain access to top-tier defense contractors, or obtain intellectual property used in the production of parts that make up larger products produced by a top-tier defense company," said Symantec.

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.