Hundreds more cyber attacks linked to 2009 Google breach

BOSTON, Sept 7 Fri Sep 7, 2012 12:59pm EDT

BOSTON, Sept 7 (Reuters) - The hacker group that attacked Google Inc in 2009 has launched hundreds of other cyber assaults since then, focusing on U.S. defense companies and human rights groups, according to new research from security software maker Symantec Corp.

Google said in January 2010 that it and more than 20 other companies were the victims of a sophisticated cyber attack - later dubbed Operation Aurora - from China-based hackers that resulted in the theft of intellectual property.

Although the hackers were never publicly identified, the incident heightened tensions between Washington and Beijing over growing evidence that a significant number of cyber attacks against U.S. institutions originated from China.

"It was big news at the time, but what people don't realize is that this is happening constantly," said Eric Chien, a manager in Symantec's research group. "They haven't gone away, and we wouldn't expect them to go away."

Symantec said on Friday the hackers behind Operation Aurora have focused on stealing intellectual property, such as design documents from defense contractors and their suppliers, including shipping, aeronautics, arms, energy, manufacturing, engineering and electronics companies.

The hackers used components of a common infrastructure that Symantec termed the "Elderwood Platform," named after a word repeatedly found in the software code used in different attacks.

Over the past year, the Elderwood hackers have focused almost exclusively on stealing data from companies that supply parts to big defense contractors, rather than targeting the firms themselves, Chien said.

The second most common group of targets was non-government organizations involved in Tibetan human rights issues. Financial firms and software companies were also targeted, Symantec said.

The security firm, which sells anti-virus software to corporations and consumers under the Symantec and Norton brands, declined to identify specific victims and noted that it did not have evidence to prove the attacks originated from China.

Cyber security experts widely believe the Google attacks originated from China.

Dmitri Alperovitch, chief technology officer of security startup CrowdStrike, said his firm has linked the culprits to more recent attacks, including ones last year on EMC Corp's RSA Security division and Lockheed Martin Corp.

The hackers infected personal computers by exploiting what were major security flaws in commonly used software from Adobe Systems Inc and Microsoft Corp. Such flaws, known as zero-day vulnerabilities, are rare because they are difficult to find. The flaws have since been fixed.

Last year, security experts uncovered eight zero-day flaws being exploited by various hacking groups, according to Symantec.

Symantec said it believed the Elderwood hackers alone have used eight zero-day vulnerabilities from 2010 to 2012 - the largest number it has seen from a single organization. That suggests the group had the money to hire large teams of skilled software engineers or purchase them.

Some experts estimate that a zero-day vulnerability that enables attackers to hack into highly secured systems can cost hundreds of thousands of dollars, even more than $1 million.

The fact that the Elderwood hackers has used so many zero-day vulnerabilities suggests it is either a very large criminal group, or backed by a nation-state, or a nation-state itself, Chien said.

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (1)
Overcast451 wrote:
Just an admission that proves who can innovate and who cannot.

Sep 12, 2012 6:07pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.