September 8, 2012

Hackers Behind 2009 Google Attacks Striking Again, Symantec Says

redOrbit Staff & Wire Reports — Your Universe Online

The group which unleashed the Hydraq or Aurora Trojan horse against Google and 34 other companies in 2009 has also been linked to attacks that have compromised systems at defense contractors, human rights organizations, and other groups, according to one computer security firm.

In a report released on Friday, Symantec officials revealed that they had been monitoring the group's activities and discovered that they had used "a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs."

The hackers have repeatedly used components of an infrastructure that they dubbed the "Elderwood Platform" due to the exploit communication used in several of the attacks. This platform enables the group to "quickly deploy zero-day exploits which uses security holes in order to carry out cyberattacks.

"Serious zero-day vulnerabilities, which are exploited in the wild and affect a widely used piece of software, are relatively rare; there were approximately eight in 2011. The past few months however has seen four such zero-day vulnerabilities used by the Elderwood attackers," Symantec's Security Response team said.

"Although there are other attackers utilizing zero-day exploits (for example, the Sykipot, Nitro, or even Stuxnet attacks), we have seen no other group use so many," they added. "The number of zero-day exploits used indicates access to a high level of technical capability."

According to eWeek's Robert Lemos, the group referred to by Symantec has discovered vulnerabilities to install Hydraq/Aurora in order to gain control of the effected machines and swipe data. They have used "targeted email messages" in order to "infiltrate businesses and fool employees into running his code," he said, noting that this approach is known as a "watering hole" attack.

Justin Rubio of The Verge and Kim Zetter of Wired said that the hackers at the center of the Symantec report were the ones behind what Rubio refers to as "Operation Aurora," the "highly coordinated" hacking effort that targeted a total of 34 companies three years ago.

Zetter said that the group used some of the same methods in their more recent attacks, while also taking advantage of zero-day vulnerabilities in Adobe Flash and Microsoft Internet Explorer.

"The majority of the victims have been in the U.S., with the attacks focused on gathering intelligence and stealing intellectual property -- such as product design documents and trade secrets, infrastructure details and information about contacts," Zetter said. "Many of the attacks have involved supply-chain companies that provide services or electronic and mechanical parts to targeted industries. Symantec says it appears the attackers have used victims in the supply-chain as stepping-stones to breach companies they´re really targeting."

"In some cases the gang used spear-phishing attacks to infect their targets through an exploit embedded in an email attachment or through a link to a malicious web site; but they have increasingly used another technique that involves breaching web sites that cater to a particular audience that they want to target -- such as an aeronautical web site catering to workers in the defense industry -- and injecting an exploit into web pages, waiting for victims to visit the pages and be infected," the Wired reporter added.