A three-year investigation into a group of hackers shows they are well organized and interested in stealing intellectual property from the defence industry supply chain.

Sophisticated ‘Elderwood’ hackers targeting defence industry, Symantec warns

A group of highly skilled and organized attackers, likely backed by some serious computing power, have been conducting targeted attacks against North America’s defence industry supply chain for the past three years, according to Symantec Corp.

The computer security vendor reveals the sophisticated hacker syndicate in a new report called The Elderwood Project released today. Using zero-day vulnerabilities, the hackers have orchestrated at least 678 attacks against 216 U.S.-based organizations and 86 attacks against 35 Canadian organizations. The attack was largely targeted to North American corporations, but not entirely. There were 53 attacks identified in China, 31 in Hong Kong, 31 in Australia, and a few also in other regions such as the U.K. and India.

Tracking the Elderwood gang since 2009, Symantec has observed that over the past few months, this group of hackers has used four zero-day vulnerabilities in its attacks. Zero-day vulnerabilities are exploits in software not previously identified and only a handful are typically discovered in a year. But this group has been able to crack major software such as Adobe’s Flash Player and Microsoft’s Internet Explorer with apparent ease.

Canada is the second most-attacked nation.

“We think they’ve got a lot of manpower,” says Vikram Thakur, a researcher with Symantec. “Either a lot of people, or a group of people who are extremely skilled and have a lot of computing power to reverse engineer the applications they’re finding vulnerabilities in.”

It’d be easier to find the exploits if the group had access to the software source doe, Thakur adds, but there is no evidence that’s the case. The number of zero-day vulnerabilities used by the group, in what Symantec calls the ‘Elderwood platform’, exceeds even that of Stuxnet. That worm was developed in tandem by the U.S. and Israel to hinder Iran’s nuclear enrichment facilities, a New York Times investigation revealed June 1.

“They have a lot of them to be utilized, which is quite frightening to be honest,” Thakur says. “I think it’s a huge problem.”

The group is targeting the supply chain of the defence industry.

While most hackers are simply out for financial account credentials and credit card numbers, this group is set on stealing intellectual property, according to Symantec. Whether its design information, source code, or financial information about a company. Attacks are focused on the supply chain leading up to Tier 1 defence industry suppliers, but Symantec hasn’t named specific victims. The intent could be to use the smaller, less secure manufacturers as stepping stones to gain access to larger defence firms.

Earlier in its investigation, Symantec found the group was using spear phishing as its primary attack method. This involves hackers identifying a single target or a small group and then send e-mails with information that seems legitimate in hopes the target will open a file and become infected. But lately, the group has relied more heavily on a “watering hole” attack strategy. That sees hackers infect one Web site that is commonly used by the target group.

“They’re just making things easier for themselves,” Thakur says.

Firms that may be targets should take extra care to ensure they have multiple layers of security protection in place and are using encryption to protect sensitive data, he says. Manufacturers in the defence supply chain should look out for attacks coming from subsidiaries, business partners, and other associates.

The motive behind the attacks is certainly cyber-espionage, Thakur says, as intellectual property is being stolen. But what’s not clear is who is behind it all.

“Whether they have the backing of a government entity or are just a hacker sitting in a basement, that’d just be speculation,” he says.

Companies that have previously evicted hackers may be at risk of another attack. Information gleaned in the first compromise could assist hackers in targeting a firm again.

Source | Symantec blog

Share on LinkedIn Comment on this article Share with Google+