In Google Attack Aftermath, Operation Aurora Keeps on Hacking
The Operation Aurora hackers, who compromised Google's infrastructure a few years ago, are still at it, targeting defense contractors and other companies in their supply chains. The group is persistent, sophisticated and most likely government-sponsored, said Grayson Milbourne, director of threat research at Webroot.
Sep 8, 2012 5:00 AM PT
Over the last three years, the gang has used lots of zero-day attacks against not just defense corporations, but also the manufacturers in their targets' supply chains.
"The group actually utilized at least eight zero-days over a three-year period, which is unheard of," Vikram Thakur, manager, Symantec Security Response, told TechNewsWorld.
Overview of the Attacks
The attackers are systematic, meaning "these attacks are not going away and the group is systematically targeting victims," Thakur explained. Once a zero-day exploit was in danger of being exposed during an attack, the hackers would replace it with another zero-day exploit, thus extending the life of the attack.
The hackers reuse components of an infrastructure Symantec has dubbed the "Elderwood Platform," after the exploit communication used in some of the attacks.
This platform lets the hackers quickly deploy zero-day exploits.
The primary targets are companies in the defense industry supply chain. Symantec said these companies may have weaker security than top-tier defense contractors.
"The Elderwood attacks appear to be very well organized and targeted towards intellectual property," Thakur said.
The hackers used four zero-day exploits in the past few months, Symantec said.
Two of the four leveraged flaws were in the Adobe Flash platform.
They are the Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779) and the Flash Player Remote Code Execution Vulnerability (CVE-2012-1535).
The other two leveraged Internet Explorer. They are the Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875) and the Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889).
"Both of the [Flash Player] vulnerabilities referenced in the Symantec blog post are already fixed," Adobe spokesperson Wiebke Lips told TechNewsWorld.
Consumers and businesses should "keep their software and security protections up-to-date," Lips suggested.
What's In a Name?
The hackers involved have always used spearphishing emails, Symantec said, but they are now increasingly using a technique dubbed "watering hole" attacks.
This involves the hackers' compromising certain websites they believe will likely be visited by their targets, much like predators sit around watering holes.
That's nothing new, said Randy Abrams, a research director at NSS Labs. "The term 'watering hole' probably came about when a marketing professional watched the animated film 'Madagascar' and figured that a targeted drive-by needed a new name to make it more marketable," he told TechNewsWorld.
Plenty More Where That Came From?
The hackers apparently have access to lots of zero-day exploits, Symantec believes.
"We know how difficult zero-day vulnerabilities are to come by, and the resources required to obtain them," Symantec's Thakur said. "This group definitely has the largest cache of zero-days we've ever seen utilized."
The hackers "seem to be very well resourced, which would explain the research they're able to perform in order to locate those zero-day vulnerabilities," Thakur remarked.
"Code has become so complex that multitudes of vulnerabilities are bound to exist," NSS Labs' Abrams said. "If a target is cost-effective, then massive resources can be put into exploit discovery and development. Finding holes is always easier than writing vulnerability-free code."
That kind of effort to locate zero-day vulnerabilities is needed because "in most cases, these exploits are fixed very soon after being discovered," Grayson Milbourne, director of threat research at Webroot, told TechNewsWorld.
Anonymous May Be Innocent
It's unlikely that the hacker group Anonymous, which has previously vowed to target defense contractors, was behind the Elderwood attack, Webroot's Milbourne said.
"I would say these are more organized, possibly government sponsored, attacks," Milbourne said. "It's hard to say for sure, but typically Anonymous likes to take credit for their hacks."