Google Aurora attackers still at large, targeting mainly US finance, energy, and education companies

Google Aurora attackers still at large, targeting mainly US finance, energy, and education companies

More than two years ago, news broke that a hacker group had been attacking dozens of organizations as part of a campaign called Operation Aurora, which led the German government to issue a warning to its citizens about Internet Explorer and led to various problems for Google in China.

The cyber attack began in mid-2009 and continued through December 2009, but was only publicly disclosed by Google in January 2010. The search giant said the sophisticated attack originated from China, and that it had been aimed at dozens of other organizations, including Adobe, Juniper Networks, Rackspace, Yahoo, Northrop Grumman, Morgan Stanley, Dow Chemical, and Symantec.

That last one is key to today’s story, because the security company says the operation is still active, and the situation looks grim, very grim.

In fact, Symantec says the group behind the operation, which it has dubbed “Elderwood,” has been conducting a long-term campaign targeting four main sectors: finance, energy (oil and gas), education, and of course governments. There are also outlier victims, such as a hotel jobs site, which the security firm believes were attacked in error and are seen as collateral damage. The security firm has published details in a 14-page research report titled “The Elderwood Project” (PDF).

The first thing that stands out in the report is that the vast majority of detections are in the US. In the last year, Symantec detected 677 files used by the Elderwood gang in the US. Rounding out the top five is Canada with 86 files, China with 53, Hong Kong with 31, and Australia also with 31.

Symantec has found that the group is using a variety of techniques in its attacks. Elderwood’s favorite strategy is the “watering hole” attack, in which the group waits for its victims to come to them, rather than hunting them down. First, the gang identifies a website frequented by employees of a targeted organization. They then hack that legitimate site and plant one or more carefully selected exploits on some of its pages. Lastly, they wait in the hopes that the employee’s computer will be compromised in turn. Elderwood reportedly has a large stockpile of zero-day Adobe Flash and Internet Explorer vulnerabilities which they leverage as needed.

Here’s an excerpt from the report’s conclusion:

The Elderwood hackers use multiple zero-day exploits, multiple Trojans, and multiple delivery vectors. They are responsible for compromising numerous websites, corporations, and individuals over the past three years. This group is focused on wholesale theft of intellectual property and clearly has the resources, in terms of manpower, funding, and technical skills, required to implement this task.

Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners, and associated companies. It is possible that those trusted companies were compromised by the attackers who are then using them as a stepping-stone to the true intended target. Companies and individuals should prepare themselves for a new round of attacks in 2013 utilizing both Adobe Flash and Internet Explorer zero-day exploits. This is particularly the case for companies who have been compromised in the past and managed to evict the attackers. The knowledge that the attackers gained in their previous compromise will assist them in any future attacks.

If you can’t stomach the full report, Symantec has also released the following infographic that “sums up the facts and figures” uncovered in the research.

I recommend you grab the full report though, and at least give it a quick skim.

Image credit: stock.xchng

Read next: Stanford-affiliated accelerator StartX breaks past $1M in 2012 funding, hosts an impressive demo day