Sleuths Trace New Zero-Day Attacks to Hackers Who Hit Google

The attackers who hacked Google two years ago have been busy hitting other companies with a series of eight zero-day exploits, according to new findings from Symantec that link them to ongoing activity against the defense industry and other sectors.
Image may contain Furniture Sitting Human Person Chair Clothing Apparel and Couch
Graphic showing how the Elderwood gang conducts its attacks.Image: Courtesy of Symantec

It's been more than two years since Google broke corporate protocol by revealing that it had been the victim of a persistent and sophisticated hack, traced to intruders in China that the company all but said were working for the government.

And it turns out the hacker gang that hit the search giant hasn't been resting on its reputation; it's been busy targeting other companies and organizations, using some of the same methods of attack, as well as a remarkable menu of valuable zero-day vulnerabilities. The attackers used at least eight zero-days in the last three years, including ones that targeted the ubiquitous software plugin Flash and Microsoft's popular IE browser.

Researchers at Symantec traced the group's work after finding a number of similarities between the Google attack code and methods and those used against other companies and organizations over the last few years.

The researchers, who describe their findings in a report published Friday, say the gang -- which they have dubbed the "Elderwood gang" based on the name of a parameter used in the attack codes -- appears to have breached more than 1,000 computers in companies spread throughout several sectors - including defense, shipping, oil and gas, financial, technology and ISPs. The group has also targeted non-governmental organizations, particularly ones connected to human rights activities related to Tibet and China.

The majority of the victims have been in the U.S., with the attacks focused on gathering intelligence and stealing intellectual property - such as product design documents and trade secrets, infrastructure details and information about contacts. Many of the attacks have involved supply-chain companies that provide services or electronic and mechanical parts to targeted industries. Symantec says it appears the attackers have used victims in the supply-chain as stepping-stones to breach companies they're really targeting.

In some cases the gang used spear-phishing attacks to infect their targets through an exploit embedded in an a-mail attachment or through a link to a malicious web site; but they have increasingly used another technique that involves breaching web sites that cater to a particular audience that they want to target -- such as an aeronautical web site catering to workers in the defense industry -- and injecting an exploit into web pages, waiting for victims to visit the pages and be infected.

In these so-called "watering hole" attacks - named for their similarity to a lion waiting for unsuspecting prey to arrive at a watering hole - an invisible iframe on the web site causes victim computers to contact a server and silently download a backdoor Trojan that gives the attackers control over the victim's machine.

Symantec believes the gang involves several teams of varying skills and duties. One team of highly skilled programmers is likely tasked with finding zero-day vulnerabilities, writing exploits, crafting re-usable platform tools, and infecting web sites; while a less skilled team is involved with identifying targets based on various goals -- stealing design documents for a military product or tracking the activities of human rights activists -- and sending out the spear-phishing attacks. A third team is likely tasked with reviewing and analyzing the intelligence and intellectual property stolen from victims.

Graphic showing how so-called "watering hole" attacks work.

Courtesy of Symantec

Eric Chien, senior technical director for Symantec Security Response, says the attackers appeared to operate in waves - going after groups of targets aggressively for three months at a time or so, then going quiet for a while before the next wave of attacks. He speculates that they may be spending the quiet time sifting through and analyzing documents and data they've stolen before collecting more from new targets.

The most remarkable thing about the attackers, however, is the number of zero-day vulnerabilities they have burned through in the last three years, which, Symantec says, suggests that they may have access to source code for the popular applications they're exploiting or may have so thoroughly reverse-engineered the applications that they have a ready supply of valuable vulnerabilities waiting to be exploited, as needed.

"It takes a huge number of people a lot of time to thoroughly reverse-engineer those applications," Chien says, "or, they potentially have a jumpstart if they have source code."

A zero-day vulnerability is a security hole in software that is unknown by the vendor and therefore unpatched. Zero-day exploits are malicious code used to attack such holes and open a door for attackers to deposit malicious programs, such as a Trojan horse, onto a target machine.

It's fairly rare to find zero-day exploits in the wild that target popular software products, since it takes a lot of effort to find the vulnerabilities and write a workable exploit. Symantec notes that there were only about eight zero-day exploits uncovered in the wild last year. But the Elderwood gang has used eight zero-days in three years. In just one-month period earlier this year, they released three successive exploits for three zero-day vulnerabilities.

"It’s pretty crazy," says Chien. "I would even venture to say they probably have an unlimited supply of zero-days, and are constantly producing them. I think that’s pretty worrisome."

Among the three zero-day vulnerabilities the attackers' exploits targeted over the month was one vulnerability in Adobe Flash, one in Microsoft's Internet Explorer browser, and one in Microsoft XML Core Services.

A fourth zero-day exploit was recently uncovered targeting a different vulnerability in Adobe Flash.

List of eight zero-day exploits the Elderwood gang has used since 2010.

Image courtesy of Symantec

The attackers appeared to have the exploits lined up waiting to use so that as soon as one zero-day exploit was discovered, another one was ready to go, the researchers say.

"The timing of the release of these three exploits was suspicious," the researchers write in their report. "As soon as one had been identified, the next became active."

After examining all of the exploits, researchers found similarities that tied them together. Those in turn were tied to malware used in the Google hack.

Symantec began connecting the dots to the Google gang after noticing that seven different Trojan horses found in the wild last April had all popped up on infected machines through a single zero-day vulnerability in Adobe Flash. The researchers began searching their database of known malicious binaries for any other malicious software that was similar, and found a number that contained various similarities, including the same binary in some cases.

One piece of malware that popped up as a match was the Hydraq trojan that was used in the Google hack. The Hydraq used the same packer that some of the more recent attacks used.

"We haven’t seen that packer used for any other software or trojans that were used as part of other cybercrime attacks," Chien says.

This caused the researchers to dig further and find more malware with other similarities.

"We started to connect the dots and trace it all the way back to the Aurora-Hydraq," Chien says, "and we realized, wow, these guys are all the same group."

They found two other Adobe Flash zero-day attacks that appeared in March 2011 that matched the latest attacks, as well as a fifth Adobe Flash zero day that appeared in Sept. 2011, which was used to attack anyone who visited the Amnesty International Hong Kong web site.

The various attacks involved re-usable tools that helped the researchers connect them to each other.

In some cases the attacks used similar packers to obfuscate the malware and bypass anti-virus scanners; in other cases they communicated with the same command-and-control servers. The researchers also found signs that the attackers likely used a document creation tool to conduct their attacks. After the attackers find a document on the web that is likely to interest a specific victim, they use the tool to bundle the document with exploit code and a Trojan, so that it's ready to use with their next attack.

Other commonalities involved encryption that was modified the same way in a number of the attacks, as well as a Shockwave Flash file the attackers used in some cases to trigger the exploits they embedded in documents. In other cases, they used the file to "spray the heap," that is, to create the optimal condition for their exploit to activate.

All of these commonalities are part of what Symantec is calling the "Elderwood platform." "Elderwood" comes from the name the attackers have given a parameter in their attack code that is used to direct victim computers to the URL where a backdoor Trojan is downloaded to their machines.

"Although each of these relationships by themselves is probably not sufficient evidence to connect the various exploits," the researchers write, "the combination of all [the] different links is a strong indicator that a single group or entity is behind the use of these zero-day exploits."

It's not known how long the group has been operating. The hack of Google was the first publicly disclosed breach involving the gang.

Google revealed in January 2010 that it had been breached by hackers, beginning the previous December, using a zero-day vulnerability in Internet Explorer.

Google said at the time that the intruders had stolen unspecified intellectual property, but said the primary goal of the attackers appeared to be to hack into the Gmail accounts of Chinese human rights activists. The attackers succeeded in obtaining access to two of those accounts, but their access was limited to basic account information, such as the date the account was created and the subject lines of e-mail, not the content of correspondence.

Subsequent reports at the time indicated that the same hackers had breached at least 33 other companies, including financial institutions and defense contractors, and had sought to steal source code from several high-tech firms based in Silicon Valley. The New York Times seemed to back this up by later reporting that the hackers had stolen source code for Google's global password system by gaining access to the company's software repository.

Shortly after Google announced that it had been hacked, Adobe revealed that it had also been the victim of a "sophisticated, coordinated attack." Adobe has never said whether it was a victim of the same attackers as Google, or whether any of its source code was stolen in the attack. But if Adobe's source code was stolen, it would seem to support Symantec's speculation that the Elderwood gang has had access to source code to craft some of the zero-day exploits it has used in its attacks.

Five of the eight zero-day exploits the gang used in the last three years were exploits for the Adobe Flash Player.

Update 9.10.12: Adobe's Brad Arkin, senior director of product security and privacy, responded to the speculation from Symantec, telling Wired that, "We are not aware of any evidence (direct or circumstantial) indicating bad guys have [source code]."

Arkin also wrote in a tweet that the zero-day vulnerabilities the hackers exploited in the Adobe Flash Player can be found through fuzzing techniques, a method researchers and hackers use to uncover vulnerabilities in software, and therefore they would not have needed the source code.