Google Aurora attackers continue online crime spree

The Hydraq backdoor trojan has been linked to a slew of recent high-profile attacks and the 2010 Aurora attacks on Google by suspected Chinese hackers.

The attackers attempted intellectual property theft by exploiting supply chain vulnerabilities to steal information from top-tier US defense contractors and other organisations.

While the attackers used spear phishing emails in the past, Symantec researchers are now seeing the emergence of “watering hole” tactics being used – where they infect websites frequented by targeted companies, or even lower-tier organisations, like manufacturers, in the defense supply chain. This latest campaign by attackers has been coined the “Elderwood Project” by Symantec.

Eric Chien, senior technical director for Symantec Security Response, told SC on Friday that the adversaries have strategically shifted techniques used to commit cyber espionage.

“It allows them to broaden their attack," Chien said. "They get a variety of people and they hope at least one these machines is of targeted interest."

Attacks on as many as 400 organisations have been linked to the Hydraq campaign, according to Symantec.

Zero-day exploits are used by the attackers, by which they infect machines running outdated versions of Adobe Flash, Microsoft Internet Explorer or Microsoft XML Core Services, Chien said.

The public pages of websites are injected with the exploit – so criminals can sit back and let their victims come to them.

“Typically, once they get into an organisation, they spider out,” Chien said. “They are looking for business intelligence, like documents, contracts, mergers, product information – basically the crown jewels of any company.”

Will Gragido, senior manager of RSA's advanced threat intelligence team, said that watering hole techniques can vary, though the purpose of the tactics are the same.

Gragido told SC on Friday that other groups using the tactics have redirected victims from compromised websites.

“In compromising the site, IFRAME technology redirects them to an entirely different URL that downloads a dropper,” Gragido said.

In using this technique, attackers often pollute reputable sites of companies, such as financial institutions, he said.

According to Chien, organisations primarily targeted by Hydraq have been in the U.S. defense industry, though IT service providers, and human rights and non-governmental organisations are among other sectors around the globe that have been impacted.  

In a blog post analysis of the malware, Symantec said companies that have been comprised in the past should be on particular alert for threats.

“Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners and associated companies as they may have been compromised and used as a stepping-stone to the true intended target,” the post said.

“Companies and individuals should prepare themselves for a new round of attacks in 2013. This is particularly the case for companies who have been compromised in the past and managed to evict the attackers. The knowledge that the attackers gained in their previous compromise will assist them in any future attacks."

Symantec did not confirm where the attackers operated, but researchers suspect the group was  backed by a nation-state or a well-organised entity.

“It appears like they are being told to look for certain types of information that someone wants to steal, and they're being compensated,” Chien said.

Since the types of organisations targeted by Hydraq typically have solid security in place, Chien advised companies to not exclude themselves from being a potential target, as cases have been detected in varying industries.

“People became aware of this and probably thought they went away, but they haven't gone away and these guys are still operating," he said.

This article originally appeared at scmagazineus.com