Skip to main content

Google 'Aurora' cyber scammers still operational

A group of cyber-scammers who were possibly behind the 2010 attack on Google infrastructure are still operational and now using more sophisticated tools, according to a new report from Symantec.

The security firm was surprised to see how many zero-day exploits the group uses to go after its targets, which appear to be focused on defense supply chain manufacturers, human rights and non-governmental organisations (NGOs), and IT service providers.

Symantec first started tracking attacks that used the Hydraq (Aurora) Trojan horse back in 2009. Recently, however, the scammers have shifted tactics to something known as "watering hole" attacks, or those that lie in wait for unsuspecting victims.

"These attackers are systematic and re-use components of an infrastructure we have termed the 'Elderwood platform,'" Symantec said. "The name 'Elderwood' comes from a source code variable used by the attackers. This attack platform enables them to quickly deploy zero-day exploits. Attacks are deployed through spear phishing emails and also, increasingly, through Web injections in watering hole attacks."

With watering hole attacks, the cyber criminals will select a website that they believe their intended targets will visit. "The attackers then inject an exploit onto public pages of the website that are hopefully visited by their ultimate target," Symantec said. "Any visitor susceptible to the exploit is compromised and a back door Trojan is installed onto their computer."

This is notable, Symantec said, because targeting specific websites is much more labour-intensive than random attacks. "The attacker has to research and probe for a weakness on the chosen website," the firm said.

According to Symantec, serious zero-day attacks are very rare. There were only eight in 2011, but the firm has identified four in the last few months alone; two via Adobe Flash and two through Internet Explorer.

The Hydraq Trojan was used to attack Google several years ago via an IE zero-day exploit. The attacks appeared to originate in China, prompting Google to change its stance on cooperating with Chinese censorship.

According to Symantec, "the Hydraq attack [on Google] and the recent attacks ... are linked."

In 2011, meanwhile, Flash-based zero-day attacks targeted sites like the website for Amnesty International Hong Kong. "Although we have not conclusively established a connection between the most recent exploits and those used in attacks in 2011, there are similarities," Symantec said.

Symantec warned defense manufacturers "to be wary of attacks emanating from subsidiaries, business partners, and associated companies. It is possible that those trusted companies were compromised by the attackers who are then using them as a stepping-stone to the true intended target."

Next year will likely see a new round of attacks using Flash and IE, particularly for companies that were compromised in the past but evaded serious consequences. "The knowledge that the attackers gained in their previous compromise will assist them in any future attacks," Symantec concluded.