An elite hacker group targeting defense industry sub-contractors has an inexhaustible supply of zero-days, or vulnerabilities that have yet to be publicised, much less patched, according to Symantec.
In a blog post, the security firm said, "The group seemingly has an unlimited supply of zero-day vulnerabilities."
Symantec also laid out its analysis of the gang, which it said was behind a slew of attacks dubbed the "Elderwood Project," after a source code variable used by the hackers.
Among the group's distinguishing characteristics, said Orla Cox, senior manager at Symantec's security response division, is its exploitation of at least eight zero-day vulnerabilities since late 2010, and four in a 16-week span this spring and summer.
"We've never see a group use so many zero-days," said Cox in an interview today. "We were amazed when Stuxnet used four zero-days, but this group has been able to discover eight zero-days. More, the fact that they have prepared [their attacks] and are ready to go as soon as they have a new zero-day, and the speed with which they use these zero-days, is something we've not seen before."
Stuxnet, first uncovered in 2010, relied on exploits of four different Windows zero-day vulnerabilities to infiltrate its targets, which most analysts now believe were Iranian nuclear fuel enrichment facilities.
Cox said that Symantec believes the hackers found the zero-days themselves, and did not purchase them from other sources.
According to Symantec's research, Elderwood exploited one zero-day in December 2010, three in 2011 and four this year during a stretch from 24 April to 15 August.
The 2010 zero-day attributed to the gang was notable: It was used by a Trojan horse called "Aurora" by most security experts, and pegged "Hydraq" by Symantec. Aurora was delivered using an Internet Explorer (IE) zero-day, and targeted a large number of Western companies, including Google.
Google accused Chinese hackers of breaking into its network using Aurora, a charge that prompted the search giant to threaten a shut-down of its Chinese operations.
Symantec found links between the Aurora/Hydraq attacks of late 2009 and early 2010 with the campaigns that exploited eight zero-days over the last 20+ months.
The security company connected the dots between the various attack campaigns by comparing elements ranging from the underlying command-and-control (C&C) infrastructure; the way the code in each Trojan was obfuscated, or masked; and the apparent sharing of a single custom-built malware development platform, said Cox.
The Elderwood campaign's targets also provided clues that the exploits of the eight zero-days were connected.
Elderwood focuses on defense sub-contractors, second-tier companies that manufacture electronic or mechanical components that are then sold to first-tier defense firms.
Symantec believes that the attacks are aimed at sub-contractors because the attackers find them easier to exploit. After infecting Windows PCs there, the hackers use them to forge a beachhead in companies further up the supply chain.
The Elderwood gang specializes in finding and exploiting zero-days in Microsoft's IE browser and Adobe's Flash Player.
Cox called the group one of the "more elite" hacker teams, and even cited what she called their "professionalism."
"The manner in which they've structure the work, dividing it among themselves, shows a certain professionalism," Cox said. "They have a development platform in place, so they just need to pull all these components together to launch a new attack. With the group's sophistication, they can quickly and easily pull together a new attack."
This year, for example, the Elderwood group shifted gears several times, quickly returning to the attack with an exploit of a new zero-day each time its predecessor was sniffed out by security researchers.
"This year, they used a Flash zero-day in April, then a couple of weeks later one in IE, then two or three weeks after that, another, one after the other," said Cox.
Some of the zero-days attributed to Elderwood have been among the highest-profile bugs uncovered and patched this year. The vulnerability exploited by Elderwood in late May, CVE-2012-1889, was in Microsoft XML Core Services (MSXML). Attacks circulated widely enough that other security firms noticed, prodding Microsoft to patch the vulnerability in its July security update slate.
The speed with which the hackers regroup after the patching of a vulnerability told Cox that they were extremely skilled. "I would suspect, based on the speed of their attacks, that they have some sort of stockpile of zero-days," he said. "I have to assume that they have more in their arsenal than we've found."
As always when researchers pull aside the curtain on a hard-working hacker gang, the immediate assumption by many is that the attackers are backed by a government. That's not necessarily the case, according to Cox, who said Symantec had no hard evidence.
"But this is a full-time job," she said, and requires a large team to dig up vulnerabilities, build exploits, bundle them into malware, launch attacks and then digest the information they've stolen. "The work they do is both skilled and time consuming. They would have to work at it full time, so someone is paying them to do this."
She said it's likely that the group is working on a contractual basis, and attacking targets identified for them by their backer. "The analysis has shown that certain organisations have been hit in different ways, indicating that they're of particular interest to [their paymasters]," Cox added.
While there's little chance an average computer user will fall victim to the targeted attacks launched by Elderwood - generally conducted using emails aimed at specific individuals -- the gang also uses the "watering hole" strategy to infect PCs.
In a watering hole campaign, hackers identify likely targets, even to the individual level, then scout out which websites they frequently visit. Next the attackers compromise one or more of those sites, plant malware on them, and like a lion waits at a watering hole for victims, wait for unwary users to surf there.
In those cases, the general public can be, as Cox put it, "collateral damage."