Google Aurora attackers continue online crime spree

Share this article:

Symantec researchers have linked a slew of recent high-profile attacks, which include the 2010 Aurora attacks on Google by suspected Chinese hackers, to a backdoor trojan name Hydraq.

Much like the case with Google, Hydraq attackers are aiming to commit intellectual property theft, this time  exploiting supply chain vulnerabilities to steal information from top-tier U.S. defense contractors and other organizations.

While the attackers used spear phishing emails in the past, researchers are now seeing the emergence of “watering hole” tactics being used – where they infect websites frequented by targeted companies, or even lower-tier organizations, like manufacturers, in the defense supply chain. This latest campaign by attackers has been coined the “Elderwood Project” by Symantec.

Eric Chien, senior technical director for Symantec Security Response, told SCMagazine.com on Friday that the adversaries have strategically shifted techniques used to commit cyber espionage.

“It allows them to broaden their attack," Chien said. "They get a variety of people and they hope at least one these machines is of targeted interest."

Attacks on as many as 400 organizations have been linked to the Hydraq campaign, according to Symantec.

Zero-day exploits are used by the attackers, by which they infect machines running outdated versions of Adobe Flash, Microsoft Internet Explorer or Microsoft XML Core Services, Chien said. The public pages of websites are injected with the exploit – so criminals can sit back and let their victims come to them.

“Typically, once they get into an organization, they spider out,” Chien said. “They are looking for business intelligence, like documents, contracts, mergers, product information – basically the crown jewels of any company.”

Will Gragido, senior manager of RSA's advanced threat intelligence team, said that watering hole techniques can vary, though the purpose of the tactics are the same.

Gragido told SCMagazine.com on Friday that other groups using the tactics have redirected victims from compromised websites.

“In compromising the site, IFRAME technology redirects them to an entirely different URL that downloads a dropper,” Gragido said.

In using this technique, attackers often pollute reputable sites of companies, such as financial institutions, he said.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Company news: New hires at Accuvant, ZeroFox and ThreatStream

New hires at Accuvant, ZeroFOX and ThreatStream, while a divestiture at Juniper and an acquisition for BlackBerry.

News briefs: The latest on Sony, Android, Backoff malware and more.

News briefs: The latest on Sony, Android, Backoff ...

This month's news briefs cover a preliminary settlement Sony will bear for the exposure of 77 million customers, and more.

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.