'The Elderwood Project' - more than a one-hit wonder

Opinion by Dan Raywood

It was the story that confirmed that state-sponsored hacking occurred and gave birth to the term 'advanced persistent threat' (APT).

It was the story that confirmed that state-sponsored hacking occurred and gave birth to the term 'advanced persistent threat' (APT).

In January 2010 there were reports of attacks made on several targets, including the most notable and widely-reported, Google. The attacks were later named operation Aurora and this remains one of the most well-known security stories of recent times.

Of course other notable attacks have happened since and there were rumours of state-sponsored attacks before this, but two years since Google's revelation, the group behind it all seemed to have fallen silent.

That is until recently, when research by Symantec found that the attackers had not been resting on their reputation, but had been busy targeting other companies and organisations, using some of the same methods of attack and a remarkable menu of zero-day vulnerabilities.

Symantec found that the attackers used at least eight zero-days in the last three years, including ones that targeted Flash and Microsoft's Internet Explorer browser.

Symantec's research found that the campaign by the gang, which it named 'The Elderwood Project' (based on a variable used in the source code by the attackers) had carried out targeted attacks over the last three years.

It said that the attackers also make use of an exploitation technique called a 'watering hole attack' where the attackers compromise a website that caters to the interests of people working within the targeted organisation. It said that the attackers wait for the target to come to them, rather than explicitly going after the target. This involves infecting websites frequented by targeted companies, or even lower-tier organisations in the defence supply chain.

Eric Chien, senior technical director for Symantec Security Response, told SC Magazine US that the adversaries have strategically shifted techniques used to commit cyber espionage, saying that it "allows them to broaden their attack".

The Symantec research found that as many as 400 organisations had been linked to the campaign, with US defence targets, IT service providers, human rights and non-governmental organisations among other sectors around the globe that have been impacted.

It did not confirm where the attackers may be operating from, but researchers suspect that the group is backed by a nation state or a larger, well-organised entity.

Speaking to SC Magazine, Symantec EMEA security CTO Greg Day said that before Aurora it was about automated attacks by cyber criminals, then it was APTs and now it is about volumising those to scale further.

He said: “There are different zero-day vulnerability methods of entry and consistency, so it is very evident of zero-day use and discovery from this group. The first big one got a mention, the rest have fallen into public domain knowledge. With Flame, the victims never knew they were compromised, with Aurora there was also a compromise but did it ever come out?

“We have seen cyber criminals move from being pickpockets to great train robbers; they put the team together and put the work in. Aurora is a group effort and we see five different adversaries in there, we can see their professionalism and different roles in the attack. An APT takes a lot of time and effort and the cyber criminal can scale up a model.”

Like all good one-hit wonders, you never know when they will strike again. However if this particular gang is backed by a nation state, then it is no surprise that they made their mark and became more of a silent adversary. A number of groups with a much more vocal agenda and with zero-day exploits available followed. With target organisations falling under other attacks, you have to wonder how much the Elderwood Project really is involved.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events