Group Behind 'Aurora' Attack on Google Still Active

← Back to Stories (view on slashdot.org)

Group Behind 'Aurora' Attack on Google Still Active

Posted by Soulskill on Friday September 7, 2012 @09:37AM from the three-years-of-experience-will-get-you-a-good-entry-level-gig dept.

New submitter trokez writes "Symantec has monitored the activities of a group using a specific trojan (Hydraq/Aurora) since 2009. The particular group has been connected (by Symantec) to the attack on Gmail in China, but also other high-profile attacks. 'These attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure we have termed the "Elderwood Platform." The term "Elderwood" comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits.' The attacks seems to focus on industry espionage, with the defense industry and its suppliers at the focus."

21 comments

Min score:

Reason:

Sort:

Are these the dudes... by Anonymous Coward · 2012-09-07 09:50 · Score: 1, Funny

...who hacked the gibson?
1. Re:Are these the dudes... by farrellj · 2012-09-07 10:45 · Score: 2
  
  +1 for obscure "Hackers" Movie reference.
  
  --
  CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Strange Symbol by puddingebola · 2012-09-07 09:56 · Score: 2

Mysteriously, the attackers left the symbol for lucky dragon behind in all the systems they compromised.
Are these the guys by ozduo · 2012-09-07 10:08 · Score: 0

that hacked into Symantec and couldn't be booted out?

--
I got to the chocolate box before you, that's why the hard ones have teeth marks.
1. Re:Are these the guys by Anonymous Coward · 2012-09-07 11:58 · Score: 0
  
  that hacked into Symantec and could not uninstall live installer
RSA Hack by Anonymous Coward · 2012-09-07 10:13 · Score: 2, Interesting

Yea, we saw this with the RSA hack, basically it's going up the supply chain to exploit suppliers of big companies/the government. In the RSA hack they actually made it look like it was coming from an RSA supplier, and spoofed an email with the THIRD version of an excel spreadsheet that contained a zero day exploit. The Chinese, they're good at this.
Perfect by ThatsNotPudding · 2012-09-07 10:13 · Score: 2

Yes; let's rely on the same folks that can reduce any computer to a glacial, zombified, disk-grinding nightmare.

Sleep tight.
1. Re:Perfect by Anonymous Coward · 2012-09-07 11:05 · Score: 0
  
  it's actually different people entirely.
2. Re:Perfect by abirdman · 2012-09-07 11:39 · Score: 1
  
  I thought the same thing. Adobe, Symantec, Microsoft write the most hole-riddled, performance hogging, and attack-vector-filled software there is. It comes with the territory-- it's where good software and evil software meet. It fries me that anti-virus software is only marginally less annoying than the viruses they protect us from.
  
  --
  Everything I've ever learned the hard way was based on a statistically invalid sample.
Complimentary Egg Roll by puddingebola · 2012-09-07 10:25 · Score: 1

The attackers also left a coupon for a complimentary egg roll, good until the end of the month.
1. Re:Complimentary Egg Roll by farrellj · 2012-09-07 10:46 · Score: 1
  
  Unfortunately, it turned out to be for *last* month...
  
  --
  CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Watering Hole Attack. by Tackhead · 2012-09-07 10:40 · Score: 4, Funny

From TFA:

One of the vectors of infection we're seeing a substantial increase in, called a âoewatering holeâ attack, is a clear shift in the attacking group's method of operations. The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers are interested in. Having identified this website, the attackers hack into it using a variety of means.

All well and good. The good folk at Symantec, a site that definitely caters to an audience of people who would be interested in this particular exploit, then goes on to link to their research paper:

We have published a research paper that details the links between various exploits used by this attacking group, their method of targeting organizations, and the Elderwood Platform. It puts into perspective the continuing evolution and sheer resilience of entities behind targeted attacks.
That's right. The link to the research paper is, presumably by order of some marketroid who wants to get some metrics about this high-profile story (or are they?) is a goddamn bit.ly link redirector that goes directly to a PDF, and can be expected to spawn precisely one of the sorts of vectors that the attackers have been exploiting for years.
Peter Norton is still alive, but if he weren't, he'd be rolling in his grave. As it stands, he's merely rolling in a big pile of money.
1. Re:Watering Hole Attack. by Anonymous Coward · 2012-09-07 14:43 · Score: 0
  
  The bit.ly link goes to www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
  Or, you too can be a marketroid for the day: bit.ly/Q07MpB+
2. Re:Watering Hole Attack. by Anonymous Coward · 2012-09-08 04:34 · Score: 0
  
  The bit.ly link goes to www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
  Yes, but it's grossly irresponsible for a security company to make its own content indistinguishable from a watering hole attack, and ironic to do so with the very content that warns of this novel attack vector, and several light-years beyond irony then put the content in the form of another attack vector, when some static HTML and images would have sufficed.
Microsoft Windows only .. by dgharmon · 2012-09-07 10:44 · Score: 3, Interesting

"The PDF file attached to the email exploits the Adobe Reader 'CoolType.dll' TTF Font Remote Code Execution Vulnerability (BID 43057). It uses a technique known as return-oriented programming (ROP) to bypass Data Execution Prevention (DEP), using code in the icucnv36.dll module."

--
AccountKiller
1. Re:Microsoft Windows only .. by nazsco · 2012-09-07 16:38 · Score: 2
  
  So you can only get infected if you do have an Symantec antivirus?
Ahem... by Anonymous Coward · 2012-09-07 10:53 · Score: 0

"All your bases are belong to us." - It finally came true.
"Elderwood" really? by hawkingradiation · 2012-09-07 13:48 · Score: 1

Naming a particular exploit instead of assigning it a number like ExTrojA.1234 is like trying to name a particular day for something. Like having all the days of the year with names like "Hot air balloon to work day", "Stop light appreciation day", or "Mother's muffins day". We are already doing this and the attack against Google was bigger but attacks like this are occurring on a daily basis. BTW was the term "Elderwood platform" a poor Chinese translation that was translated back to mean the "Microsoft Windows platform"?

--
Society use your Sciences
1. Re:"Elderwood" really? by hawkingradiation · 2012-09-07 13:51 · Score: 1
  
  Viruses and attack vectors are changing every day and it is a cat and mouse game.
  
  --
  Society use your Sciences
2. Re:"Elderwood" really? by TheCarp · 2012-09-08 00:04 · Score: 1
  
  Of course, the name is the only reason I checked out the comments, as I have been looking to grow some elder trees in my yard, and the berries are currently in season (mmmm). Of course, trying to get some from my pagan friends turned out to be too much hassle (important tree, need some rituals or some such).... so we just ordered some seeds, got them yesterday actually.
  Well the thing is names make it easier to distinguish and actually talk about them. If I compared ExTrojA.1234 with CERT-2001-19 you probably have no clue what I am refering to. In this case that probably works to my favor, since if I tried to compare this to code red, I would instantly look foolish.
  Where I do agree is when it can corrupt a deliberative process and make hash of people's arguments. What I am thinking of is congress. Remember the "clean air act" that reduced air pollution standards? What kind of thing is that? Leaving people in favor of clean air trying to argue against the clean air act?
  Or the truly low move of naming a bill after a murdered kid. I can think of few things so small and yet so corrosive to the very spirit of a deliberative process to force a person who disagrees with a policy to make him argue against something so unfairly titled.
  However, since worm and trojan names don't enter into such deliberative processes and public opinion of them is irrelevant.... I say let them have the names.
  Oh.... and keep this one out of your mouth.... elderwood is poisonous.
  
  --
  "I opened my eyes, and everything went dark again"
oh noes by nazsco · 2012-09-07 16:37 · Score: 1

Let's just hope they don't steal the secrets to milliliter wave scanners!
Nobody would be safe if terrorists had such power under their control!