Google Aurora attackers continue online crime spree
Much like the case with Google, Hydraq attackers are aiming to commit intellectual property theft, this time exploiting supply chain vulnerabilities to steal information from top-tier U.S. defense contractors and other organizations.
While the attackers used spear phishing emails in the past, researchers are now seeing the emergence of “watering hole” tactics being used – where they infect websites frequented by targeted companies, or even lower-tier organizations, like manufacturers, in the defense supply chain. This latest campaign by attackers has been coined the “Elderwood Project” by Symantec.
Eric Chien, senior technical director for Symantec Security Response, told SCMagazine.com on Friday that the adversaries have strategically shifted techniques used to commit cyber espionage.
“It allows them to broaden their attack," Chien said. "They get a variety of people and they hope at least one these machines is of targeted interest."
Attacks on as many as 400 organizations have been linked to the Hydraq campaign, according to Symantec.
Zero-day exploits are used by the attackers, by which they infect machines running outdated versions of Adobe Flash, Microsoft Internet Explorer or Microsoft XML Core Services, Chien said. The public pages of websites are injected with the exploit – so criminals can sit back and let their victims come to them.
“Typically, once they get into an organization, they spider out,” Chien said. “They are looking for business intelligence, like documents, contracts, mergers, product information – basically the crown jewels of any company.”
Will Gragido, senior manager of RSA's advanced threat intelligence team, said that watering hole techniques can vary, though the purpose of the tactics are the same.
Gragido told SCMagazine.com on Friday that other groups using the tactics have redirected victims from compromised websites.
“In compromising the site, IFRAME technology redirects them to an entirely different URL that downloads a dropper,” Gragido said.
In using this technique, attackers often pollute reputable sites of companies, such as financial institutions, he said.