Google Hackers Exploit Eight Zero-Days To Hit Defence Firms

The same hacking group that hit Google in the Aurora attacks of 2009 have been targeting defence firms and exploiting a massive eight zero-day vulnerabilities along the way.

Dubbed the Elderwood Project, the offensive operation is believed to be the work of a well-funded group of hackers, possibly a nation state.

They are targeting organisations in the defence supply chain, including shipping companies, aeronautic firms and energy suppliers, possibly in order to attack top-tier contractors.

Symantec said it had never seen any single group exploiting so many zero-days – unknown, unpatched flaws – as four were used in attacks in the last four months alone. The group managed to find zero-days in some of the most widely-used software around, including Adobe Flash Player and Microsoft’s Internet Explorer.

Unlimited zero-days

“The group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent,” a blog post from the company read.

Over a 30-day period compromised websites were serving up back-door Trojans exploiting three zero-days. The Elderwood underlings chose to compromise certain websites that they knew their targets would visit, in an attack vector known as a “watering hole” hit.

“The attacks begin with an attacker locating a vulnerability on a chosen website. This vulnerability allows the attacker to insert some JavaScript, or HTML, into the website. That piece of code contains a link, or iFrame, which points to another Web page that actually hosts exploit code for the chosen vulnerability,” Symantec explained in its report.

“When a user connects to the hacked website, they are automatically referred to the malicious Web page which exploits a vulnerability allowing the attacker to  install malware onto the victim’s computer.”

The malware in question is Hydraq, otherwise known as Aurora, that was used to hit Google in late 2009. At the time, Google claimed China was behind the hit, something the superpower denied.

Spear phishing – where emails are sent to specific people in the target organisation containing links to malware – was also used.

Almost three-quarters of successfully infected systems were in the US, whilst nine percent were in Canada and six percent in China. Some firms in the UK were hit, but less than three percent.

Symantec told any companies supplying defence contractors to be on the lookout for attacks coming from partners. “Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners, and associated companies,” it warned.

“It is possible that those trusted companies were compromised by the attackers who are then using them as a stepping-stone to the true intended target. Companies and individuals should prepare themselves for a new round of attacks in 2013 utilizing both Adobe Flash and Internet Explorer zero-day exploits. This is particularly the case for companies who have been compromised in the past  and managed to evict the attackers.”

No one has yet determined who is funding the Elderwood project, but fingers will undoubtedly point to China, given its connection to the Aurora attacks.

Orla Cox, security operations manager at Symantec, said it appeared the hackers were not purchasing the zero-day exploits, but finding them on their own, something which would take a significant amount of time and effort.

“This shows even if it is possible for people to buy zero-day exploits, there are other groups out there who have the ability to use their own,” she told TechWeekEurope. “I would think this group has actually stockpiled zero-days, so their could be more that they haven’t used.

“To reverse engineer a piece of malware would take a long time. I would imagine they have teams of people doing this, and it is their full time job. Their is definitely some division of labour in the group, where they have the skills guys and the other guys who carry out the attack.”

Are you a security guru? Try our quiz!