A new research by Symantec shows the attackers using an exploit kit known as “Elderwood” are more numerous and possibly better funded than anybody anticipated.
In order to spy on computers, Elderwood is used as a hacking platform that has an attack code which takes advantage of software vulnerabilities in popular programs, such as multimedia programFlash by Adobe Systems or Microsoft’s Internet Explorer browser.
Elderwood is tracked since 2012 by Symantec, which concluded that the contained exploits had been used against defense-related companies, people involved in human rights campaigns and IT and supply-chain companies in the well-known “Operation Aurora” attacks.
Initially the company believed that Elderwood was used by a single group, but recent findings show that a more complex operation is ongoing. Symantec doesn’t say in which country the groups are located, but the attacks which triggered “Operation Aurora” are believed to originate from China.
The fact that several hacking groups are now using Elderwood may indicate the fact that the developer is selling the platform, or that the main Elderwood hackers are developing exploits for their own teams.
“The attack groups are separate entities with their own agendas,” Symantec wrote in a blog post on Thursday.
The sub-group named “Hidden Lynx” targets the defense industry and Japanese users. “Vidgrab” prefers targeting Uyghur dissidents in the western region of China. Another group known as “Linfo” or “Icefog” goes after manufacturing firms, while “Sakurel” focuses on aerospace companies.
In the beginning of this year, the Elderwood exploit kit contained three zero-day vulnerabilities, which are software flaws without a patch available. These vulnerabilities included one for Flash (CVE-2014-0502) and two for Internet Explorer (CVE-2014-0322 and CVE-2014-0324).
The shared infrastructure is another clue that all of the groups may be closely connected. Symantec revealed that the Flash exploit and one for Internet Explorer, CVE-2014-0322, were hosted on the same server used by all four groups.
We know that creating attack code for those vulnerabilities is not cheap, so we realize that if hacking groups are purchasing the exploits from Elderwood’s developer, those organizations “must have substantial financial resources.”
Supposingthat all attacks related to Elderwood come from a larger group split into many teams, then “these employees are either being well compensated for their work or have some other motivating factor that prevents them from selling exploits on the open market themselves.”