{ "id": "0cb133c3-9e09-4ead-b249-1ad612283236", "created_at": "2026-04-06T00:15:40.148264Z", "updated_at": "2026-04-10T03:37:58.663921Z", "deleted_at": null, "sha1_hash": "e32efa4dfa8b308196da1ca9bf53b2f4a3bf5bab", "title": "Elderwood project, who is behind Op. Aurora and ongoing attacks? - Security Affairs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 971386, "plain_text": "Elderwood project, who is behind Op. Aurora and ongoing\r\nattacks? - Security Affairs\r\nBy Pierluigi Paganini\r\nPublished: 2012-09-09 · Archived: 2026-04-05 12:54:02 UTC\r\n Pierluigi Paganini September 09, 2012\r\nToday, I would like to discuss the real effects of a cyber attack. We have recently introduced the direct and indirect\r\neffects of several cyber espionage campaigns, such as Flame and Gauss, but we have never approached the\r\nproblem from a future projection, examining the possible impacts of an incident many years after it.\r\nSymantec researchers published an analysis that demonstrates the link between a series of attacks to more than 30\r\ncompanies and the cyber espionage attacks moved against Google three years ago so-called Operation Aurora.\r\nOperation Aurora is considered an epic cyber attack which happened during the second half of 2009 and was\r\npublicly disclosed by Google in January 2010.\r\nThe sophisticated attacks appeared to have originated in China and aimed at dozens of other organizations,\r\nincluding Adobe Systems and Juniper Networks which confirmed the incident. The press is also convinced that\r\nother companies were targeted, such as Morgan Stanley, Northrop Grumman, and Yahoo.\r\nThe Aurora attack is one of the most complex operations due to the attacker’s capability to exploit several 0-day\r\nvulnerabilities, including one related to the popular IE Explorer. In 2010, a notable zero-day exploit was linked to\r\na group of hackers that used a Trojan horse called “Aurora” distributed using an Internet Explorer (IE) zero-day,\r\nand targeted a large number of Western companies.\r\nAccording to the security firm Symantec, the hackers behind the attacks still have knowledge of 0-day\r\nvulnerabilities, and at least four of them have been used in recent attacks against different targets across strategic\r\nhttp://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html\r\nPage 1 of 6\n\nsectors such as energy, defense, aeronautics, and financial.\r\nOrla Cox, senior manager at Symantec’s security response division, reported that it has been exploited at least\r\neight zero-day vulnerabilities since late 2010, and four since last spring. She said:\r\n“We were amazed when Stuxnet used four zero-days, but this group has been able to discover eight zero-days.\r\nMore, the fact that they have prepared [their attacks] and are ready to go as soon as they have a new zero-day,\r\nand the speed with which they use these zero-days, is something we’ve not seen before.”\r\nThe document of the security firm reports:\r\n“This group is focused on wholesale theft of intellectual property and clearly has the resources, in terms of\r\nmanpower, funding, and technical skills, required to implement this task,”\r\n“The group seemingly has an unlimited supply of zero-day vulnerabilities.”\r\nThe attacks part of the cyber espionage campaign discovered by Symantec has been named “Elderwood Project”,\r\nfor their execution has exploited 0-day vulnerabilities in many widely used software, including IExplorer and\r\nAdobe Flash Player.\r\nhttp://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html\r\nPage 2 of 6\n\nThe experts from Symantec declared that some of the exploits have been realized from the knowledge of stolen\r\nsource code.\r\n“In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly\r\nreverse-engineer the compiled application,”\r\n“This effort would be substantially reduced if they had access to the source code. The group seemingly has an\r\nunlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession\r\nof each other if exposure of the currently used vulnerability is imminent.”\r\nThe attacks conducted during the recent months have been using an unusual method to infect the victims with\r\nmalware, it has been named “watering hole” attack and consists of injecting malicious code onto the public Web\r\npages of a site that the targets are supposed to visit.\r\nThe method of injection isn’t new and is commonly used by cyber criminals and hackers, the main difference\r\nbetween their use in cybercrime and watering hole attacks are related to the choice of websites to compromise and\r\nuse in the attacks.\r\nThe attackers haven’t indiscriminately compromised any website, but they are focused on choosing websites\r\nwithin a particular sector to infect persons of interest who likely work in that same sector and are likely to\r\ntherefore visit related websites. The Symantec report states:\r\n“Targeting a specific website is much more difficult than merely locating websites that contain a vulnerability. The\r\nattacker has to research and probe for a weakness on the chosen website.\r\nIndeed, in watering hole attacks, the attackers may compromise a website months before they actually use it in an\r\nattack. Once compromised, the attackers periodically connect to the website to ensure that they still have access.\r\nThis way, the attackers can infect a number of websites in one stroke, thus preserving the value of their zero-day\r\nexploit. They are even in a position to inspect the website logs to identify any potential victims of interest. This\r\ntechnique ensures that they obtain the maximum return for their valuable zero-day exploit.”\r\nhttp://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html\r\nPage 3 of 6\n\nOnce a victim visits the compromised site, the software for which the 0-days have been designed will make it\r\npossible the infect the machine.\r\nSymantec researchers have detected the use of this method using at least three different zero-day exploits in the\r\nlast month.\r\nThe researchers believe that a specific platform has been implemented to conduct the operations, all the attacks\r\nuse a  Trojan to infect the target computer that is packaged with a packer, and also the address of the command-and-control (C\u0026C) server. The delivery of the malware to the final victim is either through an email or a web-based vector.\r\nhttp://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html\r\nPage 4 of 6\n\nI opened the post supporting the idea that Aurora attacks are state-sponsored, it’s clear that I have no evidences for\r\nthis, but the nature of the job, the targets chosen and the complexity of the operations make me believe that it is a\r\nresult of a government project.\r\nThe unique certainty according to Symantec is a connection between the most recent attacks and those used in\r\nattacks in 2011, demonstrable with common technical features and a noticeable similarity in the timing of the\r\nattacks and the types of vulnerabilities used between the 2012 and 2011 attacks.\r\n“After this initial compromise, the attackers consolidate their beachhead and begin to analyze the stolen\r\ninformation, spreading through networks and maintaining access as needed. By analyzing the information\r\ngathered, the attackers can identify yet more targets of interest”\r\nCox said Symantec has no hard evidence of this:\r\nhttp://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html\r\nPage 5 of 6\n\n“But this is a full-time job,”\r\n“The work they do is both skilled and time consuming. They would have to work at it full time, so someone is\r\npaying them to do this.”\r\n“The analysis has shown that certain organizations have been hit in different ways, indicating that they’re of\r\nparticular interest to [their paymasters],”\r\nI leave you all the interpretations of the Symantec expert, but I think that her thought is not far from mine.\r\nWaiting for further analysis, any manufacturers who are in the defense supply chain need to be wary of these types\r\nof attacks. Subsidiaries, business partners, and associated companies are considerably privileged targets, an easy\r\nway to penetrate the defense system of large companies\r\n… raise your guard, the enemy may already be in. \r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(Security Affairs – Elderwood Project, Operation Aurora)\r\n[adrotate banner=”13″]\r\nSource: http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html\r\nhttp://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html" ], "report_names": [ "elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html" ], "threat_actors": [ { "id": "a339e456-3f5a-40e9-b293-233281105e85", "created_at": "2022-10-25T15:50:23.260847Z", "updated_at": "2026-04-10T02:00:05.248583Z", "deleted_at": null, "main_name": "Elderwood", "aliases": [ "Elderwood", "Elderwood Gang", "Beijing Group", "Sneaky Panda" ], "source_name": "MITRE:Elderwood", "tools": [ "PoisonIvy", "Naid", "Briba", "Hydraq", "Linfo", "Nerex", "Vasport", "Wiarp", "Pasam" ], "source_id": "MITRE", "reports": null }, { "id": "57d2c58d-0445-441f-b94f-99d217b9e3c4", "created_at": "2023-01-06T13:46:38.327743Z", "updated_at": "2026-04-10T02:00:02.930027Z", "deleted_at": null, "main_name": "Beijing Group", "aliases": [ "Elderwood", "Elderwood Gang", "SIG22", "G0066", "SNEAKY PANDA" ], "source_name": "MISPGALAXY:Beijing Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434540, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e32efa4dfa8b308196da1ca9bf53b2f4a3bf5bab.pdf", "text": "https://archive.orkl.eu/e32efa4dfa8b308196da1ca9bf53b2f4a3bf5bab.txt", "img": "https://archive.orkl.eu/e32efa4dfa8b308196da1ca9bf53b2f4a3bf5bab.jpg" } }