Threat Management, Malware

Google Aurora attackers continue online crime spree

Symantec researchers have linked a slew of recent high-profile attacks, which include the 2010 Aurora attacks on Google by suspected Chinese hackers, to a backdoor trojan name Hydraq.

Much like the case with Google, Hydraq attackers are aiming to commit intellectual property theft, this time  exploiting supply chain vulnerabilities to steal information from top-tier U.S. defense contractors and other organizations.

While the attackers used spear phishing emails in the past, researchers are now seeing the emergence of “watering hole” tactics being used – where they infect websites frequented by targeted companies, or even lower-tier organizations, like manufacturers, in the defense supply chain.This latest campaign by attackers has been coined the “Elderwood Project” by Symantec.

Eric Chien, senior technical director for Symantec Security Response, told on Friday that the adversaries have strategically shifted techniques used to commit cyber espionage.

“It allows them to broaden their attack," Chien said. "They get a variety of people and they hope at least one these machines is of targeted interest."

Attacks on as many as 400 organizations have been linked to the Hydraq campaign, according to Symantec.

Zero-day exploits are used by the attackers, by which they infect machines running outdated versions of Adobe Flash, Microsoft Internet Explorer or Microsoft XML Core Services, Chien said. The public pages of websites are injected with the exploit – so criminals can sit back and let their victims come to them.

“Typically, once they get into an organization, they spider out,” Chien said. “They are looking for business intelligence, like documents, contracts, mergers, product information – basically the crown jewels of any company.”

Will Gragido, senior manager of RSA's advanced threat intelligence team, said that watering hole techniques can vary, though the purpose of the tactics are the same.

Gragido told on Friday that other groups using the tactics have redirected victims from compromised websites.

“In compromising the site, IFRAME technology redirects them to an entirely different URL that downloads a dropper,” Gragido said.

In using this technique, attackers often pollute reputable sites of companies, such as financial institutions, he said.

According to Chien, organizations primarily targeted by Hydraq have been in the U.S. defense industry, though IT service providers, and human rights and non-governmental organizations are among other sectors around the globe that have been impacted.  

In a blog post analysis of the malware, Symantec said companies that have been comprised in the past should be on particular alert for threats.

“Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners and associated companies as they may have been compromised and used as a stepping-stone to the true intended target,” the post said. “Companies and individuals should prepare themselves for a new round of attacks in 2013. This is particularly the case for companies who have been compromised in the past and managed to evict the attackers. The knowledge that the attackers gained in their previous compromise will assist them in any future attacks."

Though Symantec has not confirmed from where the attackers may be operating, researchers do suspect that the group is backed by a nation-state or a larger, well-organized entity.

“It appears like they are being told to look for certain types of information that someone wants to steal, and they're being compensated,” Chien said.

Since the types of organizations targeted by Hydraq typically have solid security in place, Chien advised companies to not exclude themselves from being a potential target, as cases have been detected in varying industries.

“People became aware of this and probably thought they went away, but they haven't gone away and these guys are still operating," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.