Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Google Aurora Attackers Still On Loose, Symantec Says

Gang that attacked Google in 2009 has continued operating, stealing sensitive data via zero-day attacks and compromising target companies' business partners.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Whatever happened to the group of attackers that successfully hacked into Google in 2009?

That attack, first disclosed by Google in January 2010 and later dubbed "Operation Aurora"--for the Aurora (a.k.a. Hydraq) Trojan horse application used--was described at the time by Google as "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google." The attack became the basis for what's now generally referred to as the advanced persistent threat (APT), meaning an exploit that's been launched by a technologically astute as well as patient attacker.

Three years later, it turns out that the gang behind the Aurora attacks is still at large, and apparently more technologically advanced than ever. That revelation comes via Symantec, which Friday released a report on the gang and its attack campaigns, which Symantec has dubbed the "Elderwood Project." Elderwood refers to the infrastructure that the gang uses--and to speed up their attacks, largely reuses--to rapidly integrate new zero-day exploits and launch attacks.

One of the major findings from Symantec's report, which notably doesn't mention China or ascribe a geographical location to the origin of the attacks, is that although the gang might still be compromising targets via spear-phishing attacks as it did with Google, it also has begun using what Symantec has dubbed "watering hole" attacks. This means the gang compromises sites that it believes its targets will visit, in advance of their doing so.

[ Read 8 Lessons From Nortel's 10-Year Security Breach. ]

"The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him," according to blog post from Symantec Security Response. In the case of the Aurora gang, this approach involves exploiting the target site, and then attempting to compromise and automatically install a Trojan backdoor application on every PC that visits the site. Symantec said it's seen up to three different zero-day attacks being used in a 30-day period in related attacks.

As that suggests, the attackers seem to have access to top-notch information security expertise. "The group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent," said Symantec. In other words, the attackers aren't stingy.

"Serious zero-day vulnerabilities, which are exploited in the wild and affect a widely used piece of software, are relatively rare; there were approximately eight in 2011," said Symantec. But just in the past few months, the gang has exploited a record four different zero-day vulnerabilities in its attacks. "Although there are other attackers utilizing zero-day exploits (for example, the Sykipot, Nitro, or even Stuxnet attacks), we have seen no other group use so many," the company said.

The most recently used zero-day attacks targeted two previously unknown flaws in Adobe Flash Player, one in Internet Explorer, and one in Microsoft XML Core Services. All of the exploits can be used to remotely execute code on infected systems. "In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications," said Symantec. "This effort would be substantially reduced if they had access to source code."

Who's most at risk of attack by this gang? Symantec said that to date, defense contractors "who manufacture electronic or mechanical components that are sold to top-tier defense companies" are the principle victims. In other words, businesses outside of that sector shouldn't have to worry about being directly attacked by this particular gang.

But for any businesses in the defense sector, or which works with the defense sector, watch out, and especially for business partners with a weak information security posture. That's because the gang has no qualms about compromising the systems of one of its target's business partners, and then using that business partner's systems to attack and exploit the actual target.

"The attackers do so expecting weaker security postures in these lower tier organizations and might use these manufacturers as a stepping-stone to gain access to top-tier defense contractors, or obtain intellectual property used in the production of parts that make up larger products produced by a top-tier defense company," said Symantec.

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-23
Upwork Time Tracker doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
PUBLISHED: 2019-07-23
GNUBOARD5 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
PUBLISHED: 2019-07-23
Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
PUBLISHED: 2019-07-23
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
PUBLISHED: 2019-07-23
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...