Security researchers monitoring cybercriminals tied to the 2009 Aurora attacks said the group is demonstrating strong skills and sophistication, using a flurry of zero-day vulnerabilities in 2011 and at least four zero-day flaws over the last few months.
These guys are persistent, they're constant and any of these organizations are potentially vulnerable.
Eric Chien, senior technical director, Symantec Security Response.
The group's primary target appears to be U.S. defense contractors and their partners in the supply chain, including manufacturers of electronic or mechanical components.
Symantec issued a research paper Friday analyzing the group's apparent increased use of zero-day flaws and a new targeted attack technique. The group, which relied on spear phishing attacks to infect employee computers, has also introduced a "watering hole" style attack, targeting website vulnerabilities in sites often visited by the targeted organization's employees. Similar to a drive-by attack, the cybercriminals wait for a victim to visit the compromised website and scan the victim's computer for vulnerabilities.
"The group seemingly has an unlimited supply of zero-day vulnerabilities," said Symantec, which calls the attacks the Elderwood Project, based on the exploit source code used in the attacks. "The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent."
Symantec said the group used approximately eight zero-day flaws in 2011. In 2012 the group appears to be continuing its targeted attacks. Since April, two flash player zero-day flaws were used in attacks as well as an Internet Explorer zero-day and a zero-day in the Microsoft XML Core Services. The flaws have since been patched.
The Operation Aurora attacks were uncovered in December 2009. Google and dozens of other companies were victims of a cyberattack believed to have originated in China. The attackers appear to be interested in a wide range of targets, including human rights groups. Victims were infected with the Hydraq Trojan, which was delivered using an Internet Explorer vulnerability. It opened a backdoor on victim's machines, ultimately letting attackers leapfrog onto the corporate network.
Despite a number of security firms closely monitoring the group's activities, detecting an attack may be difficult, said Eric Chien, senior technical director for Symantec Security Response. Chien said the group is constantly changing its malicious binaries and command and control infrastructure and adding new exploits. The group works in waves, actively attacking their targets over a three month period, then going dark for several months.
"U.S. organizations are definitely predominant in the statistics, but we definitely are seeing them all over the world," Chien said. "These guys are persistent, they're constant and any of these organizations are potentially vulnerable."
Listen to the interview
Eric Chien, senior technical director for Symantec Security Response explains that the group behind the campaign are using a number of zero-day exploits and a new drive-by attack technique.
Chien said Symantec researchers detected some Hydraq code used in binaries recovered in 2011 and 2012 attacks. The packer or outer obfuscation later of the malicious code is being reused, enabling antivirus and other security technologies to be effective in detecting the Trojan, he said.
The use of zero-day flaws displays a high level of skill and funding, Chien said.
"They definitely have an infrastructure where there are people making the tools and operators essentially using those tools to help conduct their attacks," he said. "We don't see any evidence that this is a classic cybercrime gang. Clearly they are after intellectual property like design documents, source code if you are a software company, business intelligence like contracts and merger and acquisition documents."
Symantec is warning defense sector manufacturers to expect a new round of attacks in 2013. The group will also target any business partner connected to the manufacturer, including subsidiaries, business partners and associated companies, Symantec said.
Spear phishing continues to be a common way for the group to carry out attacks, but the watering hole technique frequency is increasing, Symantec said in its paper, The Elderwood Project (pdf). The technique was first detected by RSA researchers in July. Website weaknesses are common and not difficult to detect and exploit, enabling attackers to inject attack code into an iFrame and wait for victims to visit the legitimate site.
"The attackers may compromise a website months before they actually use it in an attack," the Symantec researchers said. "Once compromised, the attackers periodically connect to the website to ensure that they still have access."