The inner-workings of the world’s most powerful professional hacking group have been exposed.
The so-called Elderwood group, known for launching an ultra-sophisticated attack against Google in December 2009, is among the most dangerous ever discovered.
Over the last three years they have targeted the defence industry, human rights groups, governments and NGOs with previously unseen skill and force, said the security firm Symantec, after a three-year study.
“We’ve never seen anything like this before,” Orla Cox, senior security operations manager at Symantec told the HuffPost UK.
“And somebody is paying them to do it.”
Symantec studied the group to uncover the workings of its hacking system, named “The Elderwood Platform”. Based on similarities between different attacks – including the Google exploit and others – Symantec has been able to connect the dots, and says it is likely they are the work of one professional collective.
The Elderwood group has been able to launch twice as many ‘Zero Day’ exploits, for which there is no known fix at the time of the hack, than any other group.
Zero day exploits are those targeting previously unknown vulnerabilities. They are more rare than other attacks because they are very hard to manufacture, but can also be much more deadly for that reason.
Elderwood has used twice as many Zero Day attacks than any comparable organisation:
“This group has used eight.”
This year alone the group has used four zero days, she said.
“They’re not the only group carrying out this style of attack,” she added. “But in this case this group seems to be more efficient, better-structured and more professional in their approach.
The attackers have been able to reverse engineer software including Adobe Flash and Internet Explorer, to discover the Zero Day vulnerabilities. Usually the attacks are launched through phishing email campaigns or “watering hole” attacks where the group exploits a popular website and inserts its own code to hack its users.
Symantec said their goal is “wholesale theft of intellectual property”.
There are other groups which have carried out similar attacks, Cox admits – including a group named Nitro, which attacked the chemical industry, and Sykipot.
Symantec said that it is not possible to be more specific about the location of the Elderwood group or its motives, because unlike other hacking collectives they make no attempt to publicise their aims or their victories.
And they’re good at hiding.
“It’s very difficult to pinpoint an exact location,” Cox said. “These attackers are good at hiding their tracks. They would tend to use command and control service locations in different parts of the world, using proxy servers to hide their location.”
“The only people that would have the money to do this would be a criminal organisation or somebody backed by a nation state.”
Symantec said that businesses need to be more wary of these large-scale attacks, and be prepared to respond when a Zero Day exploit is discovered.
“Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners, and associated companies.
“Companies and individuals should prepare themselves for a new round of attacks in 2013 utilising both Adobe Flash and Internet Explorer zero-day exploits.
“This is particularly the case for companies who have been compromised in the past and managed to evict the attackers. The knowledge that the attackers gained in their previous compromise will assist them in any future attacks.”