Elite hacker gang has unlimited supply of zero-day bugs
Cox called the group one of the "more elite" hacker teams, and even cited what she called their "professionalism."
"The manner in which they've structure the work, dividing it among themselves, shows a certain professionalism," Cox said. "They have a development platform in place, so they just need to pull all these components together to launch a new attack. With the group's sophistication, they can quickly and easily pull together a new attack."
This year, for example, the Elderwood group shifted gears several times, quickly returning to the attack with an exploit of a new zero-day each time its predecessor was sniffed out by security researchers.
"This year, they used a Flash zero-day in April, then a couple of weeks later one in IE, then two or three weeks after that, another, one after the other," said Cox.
Some of the zero-days attributed to Elderwood have been among the highest-profile bugs uncovered and patched this year. The vulnerability exploited by Elderwood in late May, CVE-2012-1889, was in Microsoft XML Core Services (MSXML). Attacks circulated widely enough that other security firms noticed, prodding Microsoft to patch the vulnerability in its July security update slate.
The speed with which the hackers regroup after the patching of a vulnerability told Cox that they were extremely skilled. "I would suspect, based on the speed of their attacks, that they have some sort of stockpile of zero-days," he said. "I have to assume that they have more in their arsenal than we've found."
As always when researchers pull aside the curtain on a hard-working hacker gang, the immediate assumption by many is that the attackers are backed by a government. That's not necessarily the case, according to Cox, who said Symantec had no hard evidence.
"But this is a full-time job," she said, and requires a large team to dig up vulnerabilities, build exploits, bundle them into malware, launch attacks and then digest the information they've stolen. "The work they do is both skilled and time consuming. They would have to work at it full time, so someone is paying them to do this."
She said it's likely that the group is working on a contractual basis, and attacking targets identified for them by their backer. "The analysis has shown that certain organizations have been hit in different ways, indicating that they're of particular interest to [their paymasters]," Cox added.
While there's little chance an average computer user will fall victim to the targeted attacks launched by Elderwood -- generally conducted using emails aimed at specific individuals -- the gang also uses the "watering hole" strategy to infect PCs.
In a watering hole campaign, hackers identify likely targets, even to the individual level, then scout out which websites they frequently visit. Next the attackers compromise one or more of those sites, plant malware on them, and like a lion waits at a watering hole for victims, wait for unwary users to surf there.
In those cases, the general public can be, as Cox put it, "collateral damage."
Symantec's analysis of the Elderwood Project can be downloaded from its website (download PDF).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- New docs show DHS was more worried about critical infrastructure flaw in '07 than it let on
- Needed: Breach detection correction
- Evan Schuman: Resurrection of Full Disclosure mailing list is great news, if you're not a cyberthief
- Cyberattacks could paralyze U.S., former defense chief warns
- Syrian Electronic Army shanghais Microsoft's Twitter account, blog
- Is French outrage against U.S. spying misplaced?
- Lawmakers seek answers on Obamacare Data Hub security
- China-based hacking group behind hundreds of attacks on U.S. companies
- How to Prepare for a Potential Syrian Counterattack on the U.S. Power Grid
- New York Times site outage caused by attack on domain registrar, company says
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts