Hackers from China target defense data, human rights groups: Symantec

BOSTON: The hacker group that attacked Google in 2009 has launched hundreds of other cyber assaults since then, focussing on US defense companies and human rights groups, according to new research from security software maker Symantec.

Google said in January 2010 that it and more than 20 other companies were the victims of a sophisticated cyber attack - later dubbed Operation Aurora - from China-based hackers that resulted in the theft of intellectual property.

Although the hackers were never publicly identified, the incident heightened tensions between Washington and Beijing over growing evidence that a significant number of cyber attacks against US institutions originated from China.

"It was big news at the time, but what people don't realise is that this is happening constantly," said Eric Chien, a manager in Symantec's research group. "They haven't gone away, and we wouldn't expect them to go away."

Symantec said on Friday the hackers behind Operation Aurora have focussed on stealing intellectual property, such as design documents from defense contractors and their suppliers, including shipping, aeronautics, arms, energy, manufacturing, engineering and electronics companies.

The hackers used components of a common infrastructure that Symantec termed the "Elderwood Platform," named after a word repeatedly found in the software code used in different attacks.

Over the past year, the Elderwood hackers have focussed almost exclusively on stealing data from companies that supply parts to big defense contractors, rather than targeting the firms themselves, Chien said.

The second most common group of targets was non-government organisations involved in Tibetan human rights issues. Financial firms and software companies were also targeted, Symantec said.

The security firm, which sells anti-virus software to corporations and consumers under the Symantec and Norton brands, declined to identify specific victims and noted that it did not have evidence to prove the attacks originated from China.

Cyber security experts widely believe the Google attacks originated from China.

Dmitri Alperovitch, chief technology officer of security startup CrowdStrike, said his firm has linked the culprits to more recent attacks, including ones last year on EMC's RSA Security division and Lockheed Martin.

The hackers infected personal computers by exploiting what were major security flaws in commonly used software from Adobe Systems and Microsoft. Such flaws, known as zero-day vulnerabilities, are rare because they are difficult to find. The flaws have since been fixed.

Last year, security experts uncovered eight zero-day flaws being exploited by various hacking groups, according to Symantec.

Symantec said it believed the Elderwood hackers alone have used eight zero-day vulnerabilities from 2010 to 2012 - the largest number it has seen from a single organisation. That suggests the group had the money to hire large teams of skilled software engineers or purchase them.

Some experts estimate that a zero-day vulnerability that enables attackers to hack into highly secured systems can cost hundreds of thousands of dollars, even more than $1 million.

The fact that the Elderwood hackers has used so many zero-day vulnerabilities suggests it is either a very large criminal group, or backed by a nation-state, or a nation-state itself, Chien said.

(2012-09-08/timesofindia)