Stealing US business secrets: Experts ID two huge cyber 'gangs' in China

Today, 2-1/2 years later, Google has abandoned the Chinese market, but Elderwood is alive and doing quite well, its cyberspies busy as ever, the Symantec analysis shows. Second-tier defense industry suppliers that make electronic or mechanical components for top defense companies are the gang's specialty. Those firms then become a cyber "stepping stone to gain access to top-tier defense contractors," the report says.

But Elderwood's appetite for information is broad and its capacity far larger than the defense industry alone. So, in at least eight major "campaigns" in less than two years, the gang has slipped into the networks of US shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and, of course, software companies, Symantec reports.

In most cases, Elderwood uses a convincing "spear-phishing" fake e-mail to fool an employee into clicking an infected e-mailed link or into opening a Trojan software-infected attachment that creates a digital backdoor for the cyberspies. In many cases, these attacks have utilized costly "zero-day" malware that takes advantage of a previously unknown flaw against which no defense exists. Such technology would sell for at least six figures on the cyber black market, leading many to conclude the group is exceedingly well funded.

Lately, however, Elderwood has taken to infecting legitimate websites frequented by employees of the target company – a so-called "water hole" attack, just as lions stake out a watering hole for their prey. Elderwood infects these less-secure sites with malware that downloads to a computer that clicks on the site. After that, the gang snoops inside the network to which the infected computer is connected, finding and finally downloading executives' e-mails and critical documents on company plans, decisions, acquisitions, and product designs.

"Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property," Symantec reports. "The resources required to identify and acquire useful information – let alone analyze that information – could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself."

This sort of activity is hardly unknown to US cybersecurity experts, who have long dubbed it the "advanced persistent threat" – a euphemism taken to mean espionage threats originating from China. Mr. Stewart of Dell Secureworks has traced the activity of the Elderwood Gang (which he calls the Beijing Group) and the Comment Crew (which he calls the Shanghai Group) back to 2005-2006. He says they are responsible for perhaps 90 percent of all economic espionage against the US today.

"Both groups surface time and again in different reports you read," he says. "Someone discovers some malware and gives it a snazzy name. But it's all the same activity underneath."

Technical links – including IP addresses, domain names, malware signatures, and other technical factors – show Elderwood was behind the attack on Google, which is known as Operation Aurora, he says.

Stewart also ties Elderwood to other major hacks, including one against Tibetan activists – the "GhostNet" global cyberespionage network documented by University of Toronto Researchers in 2010 – and the major hack of RSA, the Bedford, Mass., cybersecurity subsidiary of EMC corporation.

Previous

1 | 2 | 3

Next