Stealthy Group Steals Data Using Zero-Day, ‘Watering Hole’ Attack

A group of data thieves, possibly linked to a 2009 attack on Google, has ramped up its operations, using exploits for at least eight previously unknown vulnerabilities-widely referred to as “zero-days”-to compromise systems at defense contractors, suppliers to the defense sector, human rights organizations and other companies, security firm Symantec stated in a report released Sept. 7.

Symantec identified the group by the common set of tools and techniques it used-an attack platform that the company called “Elderwood,” after a variable found in the source code. The group has used previously unseen vulnerabilities to compromise targeted systems and install a malicious program, known as Hydraq, to control the machines and steal data. While the group has used targeted email messages as a way to infiltrate businesses and fool employees into running its code, the thieves have also compromised Websites known to be communication hubs for targeted industries as a way to infect insiders, known as a “watering hole” attack.

“They are definitely shifting their methodology, and there are open questions about why that is,” said Eric Chien, senior technical director for Symantec’s security response group. “They may be finding that older techniques are no longer working.”

In the report, Symantec detailed the three years that the group has likely been operating. In December 2009, Google claimed it-and dozens of other companies-had been attacked by a group that used a vulnerability in Internet Explorer to install Hydraq on several of its computers. A few months later, a group using similar methods used two previously unknown flaws in Adobe Flash to attack other firms in technology and related industries. In September 2011, the same methods were used to attack visitors to an Amnesty International site, and this year, defense and other technology firms were affected.

“Our analysis shows that a single group has been using these zero-day exploits, along with others over the past couple of years, in targeted attacks against individuals, companies, governments and even entire sectors,” Symantec stated in a summary of the analysis.

“Group” is a flexible term, and could encompass a single group of people, or many groups linked by a common framework of attack tools, Chien said. Recent analyses of Stuxnet, Duqu and other cyber-attacks have linked many of those programs to the frameworks that were likely used to create them.

Using tools, techniques and methods to identify attackers is a common methodology. Symantec linked the attacks to Google, for example, with the discovery that both operations used the malicious Hydraq program for controlling computers, and both used the same packer, a method of compressing and obfuscating malicious code, which the company has not encountered elsewhere.

The various attacks using exploits for zero-day vulnerabilities were linked by different common elements, including, in some cases, a Shockwave Flash component designed to make exploitation more reliable and, in other cases, a common method of combining exploit code and the file used to entice victims to run the code.

Watering hole attacks are not entirely new, dating back to at least March 2011. Security firm RSA discussed in July its own investigation into a group that used the technique to infect technology and financial firms in the Massachusetts and Washington, D.C., areas. The group used the same watering hole attack as the Elderwood group, but did not use the Hydraq Trojan, suggesting that the two incidents involved different groups.