Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Google Aurora Attackers Still On Loose, Symantec Says

Gang that attacked Google in 2009 has continued operating, stealing sensitive data via zero-day attacks and compromising target companies' business partners.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Whatever happened to the group of attackers that successfully hacked into Google in 2009?

That attack, first disclosed by Google in January 2010 and later dubbed "Operation Aurora"--for the Aurora (a.k.a. Hydraq) Trojan horse application used--was described at the time by Google as "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google." The attack became the basis for what's now generally referred to as the advanced persistent threat (APT), meaning an exploit that's been launched by a technologically astute as well as patient attacker.

Three years later, it turns out that the gang behind the Aurora attacks is still at large, and apparently more technologically advanced than ever. That revelation comes via Symantec, which Friday released a report on the gang and its attack campaigns, which Symantec has dubbed the "Elderwood Project." Elderwood refers to the infrastructure that the gang uses--and to speed up their attacks, largely reuses--to rapidly integrate new zero-day exploits and launch attacks.

One of the major findings from Symantec's report, which notably doesn't mention China or ascribe a geographical location to the origin of the attacks, is that although the gang might still be compromising targets via spear-phishing attacks as it did with Google, it also has begun using what Symantec has dubbed "watering hole" attacks. This means the gang compromises sites that it believes its targets will visit, in advance of their doing so.

[ Read 8 Lessons From Nortel's 10-Year Security Breach. ]

"The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him," according to blog post from Symantec Security Response. In the case of the Aurora gang, this approach involves exploiting the target site, and then attempting to compromise and automatically install a Trojan backdoor application on every PC that visits the site. Symantec said it's seen up to three different zero-day attacks being used in a 30-day period in related attacks.

As that suggests, the attackers seem to have access to top-notch information security expertise. "The group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent," said Symantec. In other words, the attackers aren't stingy.

"Serious zero-day vulnerabilities, which are exploited in the wild and affect a widely used piece of software, are relatively rare; there were approximately eight in 2011," said Symantec. But just in the past few months, the gang has exploited a record four different zero-day vulnerabilities in its attacks. "Although there are other attackers utilizing zero-day exploits (for example, the Sykipot, Nitro, or even Stuxnet attacks), we have seen no other group use so many," the company said.

The most recently used zero-day attacks targeted two previously unknown flaws in Adobe Flash Player, one in Internet Explorer, and one in Microsoft XML Core Services. All of the exploits can be used to remotely execute code on infected systems. "In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications," said Symantec. "This effort would be substantially reduced if they had access to source code."

Who's most at risk of attack by this gang? Symantec said that to date, defense contractors "who manufacture electronic or mechanical components that are sold to top-tier defense companies" are the principle victims. In other words, businesses outside of that sector shouldn't have to worry about being directly attacked by this particular gang.

But for any businesses in the defense sector, or which works with the defense sector, watch out, and especially for business partners with a weak information security posture. That's because the gang has no qualms about compromising the systems of one of its target's business partners, and then using that business partner's systems to attack and exploit the actual target.

"The attackers do so expecting weaker security postures in these lower tier organizations and might use these manufacturers as a stepping-stone to gain access to top-tier defense contractors, or obtain intellectual property used in the production of parts that make up larger products produced by a top-tier defense company," said Symantec.

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research.
PUBLISHED: 2021-05-18
Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges. This issue affects Bitdefender GravityZone Business S...
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."