In 2009, high profile web site attacks by a group using the Hydraq (Aurora) Trojan horses started. Symantec has been monitoring the attacking group’s activities for the last three years as they’ve consistently targeted a number of industries. These attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure we have termed the “Elderwood Platform”. The term “Elderwood” comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits. The attacking methodology has always used spear phishing emails but we are now seeing an increased adoption of “watering hole” attacks (compromising certain websites likely to be visited by the target organization).
The primary targets are within the defense supply chain, a majority of which are not top-tier defense organizations themselves, but are companies that manufacture components that are sold to top-tier defense companies. The attackers expect weaker security postures in these lower tier organizations and use them as stepping-stones to gain access to top-tier defense contractors, or obtain intellectual property used in the production of parts that make up larger products produced by a top-tier defense company. Below is a snippet of the various industries that are part of the defense supply chain.
The “watering hole” concept of attack is similar to a predator waiting at a watering hole. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers are interested in. Having identified this website, the attackers hack into it using a variety of means. The attackers then inject an exploit onto public pages of the website that they hope will be visited by their ultimate target. Any visitor susceptible to the exploit is compromised and a back door Trojan is installed onto their computer.
Symantec has published a research paper that details the links between various exploits used by this attacking group, their method of targeting organizations, and the Elderwood Platform. It puts into perspective the continuing evolution and sheer resilience of entities behind targeted attacks.
Also, the head of the NSA’s Information Assurance Directorate, said, “we’re starting to see nation-state resources and expertise employed in what we would characterize as reckless and disruptive, destructive behaviors,” Reuters reported.
Even adversaries during the Cold War, who were always trying to spy on or disrupt each other, operated within boundaries, she said. “Some of today’s national cyber actors don’t seem to be bound by any sense of restraint,” she said.
Meanwhile, Symantec issued a report saying that Aurora, the group behind those attacks, which the company has dubbed the Elderwood gang because of some of the source code they used, has consistently targeted defense-related and other industries with “seemingly an unlimited number of zero-day exploits.”