Details emerged this week regarding an attack system known as The Elderwood Project that appears to be sponsored by the Chinese military complex. The first instance of this attack vector occurred in 2009 when Google computers were comprised by a group using a zero-day exploit in Internet Explorer. It was determined that the group initiating the cyberattack was most certainly sponsored by the Chinese government. Symantec says that three years later, the attacks are still continuing, even as the attacking group hones and upgrades their exploit software. Originally the attackers used spear phishing emails to lure prospective victims to compromised websites or tricking them into opening infected attachments that would execute code to root their machine and give the attackers total control of the compromised system. Today they are increasingly adopting the “watering hole” methodology which utilizes a hidden iframe in a web page to execute code that has been housed on a compromised web server.
The Elderwood Group chooses specific targets which can include infrastructure companies, oil and gas companies, defense contractors, financial institutions, military organizations, and other important United States entities. The majority of their targets appear to be top-tier United States defense organizations. Once a target is chosen, the Elderwood Group studies the target and predicts which websites their targets will visit. Those websites are then forcefully comprised and the server seeded with attack code (typically utilizing SQL injection techniques). When their target visits one of the compromised servers, a hidden iframe (in the HTML based web page) is used that points to a server which hosts the exploit code. The exploit code downloads and executes the trojan program (Hydraq/Aurora is currently being used) that gives the Elderwood Group control of their target’s machine. Symantec has seen several instances where the Elderwood Group is also targeting supply chain manufacturers that service the company in Elderwood Group’s cross hairs.
Symantec explains how the Elderwood team operates:
Symantec believes the gang involves several teams of varying skills and duties. One team of highly skilled programmers is likely tasked with finding zero-day vulnerabilities, writing exploits, crafting re-usable platform tools, and infecting web sites; while a less skilled team is involved with identifying targets based on various goals – stealing design documents for a military product or tracking the activities of human rights activists – and sending out the spear-phishing attacks. A third team is likely tasked with reviewing and analyzing the intelligence and intellectual property stolen from victims.
What makes the attacks so interesting is the attack vector being used depends on zero-day vulnerabilities or “bugs” in the targeted computer system that have not been discovered by the manufacturer, developer, or general public. The number of zero-day exploits used by the Elderwood Group indicates the group possesses a high level of technical ability. Zero-day exploits used thus far include bugs in Adobe Flash Player, Microsoft Internet Explorer, and Microsoft XML Core Services, a component of Internet Explorer. With zero-day exploits in hand, all it takes is to lure the target into the cross-hairs.
As Symantec explains on their website:
One of the vectors of infection we’re seeing a substantial increase in, called a “watering hole” attack, is a clear shift in the attacking group’s method of operations. The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers are interested in. Having identified this website, the attackers hack into it using a variety of means. The attackers then inject an exploit onto public pages of the website that they hope will be visited by their ultimate target.
Using code fragments left over from the attack, and evidence from the 2009 Google attack, Symantec has determined that all the attacks are related to each other and are originating from the same group with a direct relationship to China. It appears as if a Cyberwar between China and the United States is not only possible, but may have already begun.