1. Home
  2. Groups
  3. Elderwood

Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]

ID: G0066
Associated Groups: Elderwood Gang, Beijing Group, Sneaky Panda
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 1.3
Created: 18 April 2018
Last Modified: 11 April 2024
Version Permalink

Associated Group Descriptions

Name Description
Elderwood Gang

[2] [3]
Beijing Group

[3]
Sneaky Panda

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1189 Drive-by Compromise

Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.[2][3][1]
Enterprise T1203 Exploitation for Client Execution

Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.[2]
Enterprise T1105 Ingress Tool Transfer

The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[4]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Elderwood has packed malware payloads before delivery to victims.[2]
.013 Obfuscated Files or Information: Encrypted/Encoded File

Elderwood has encrypted documents and malicious executables.[2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.[2][3]
.002 Phishing: Spearphishing Link

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.[2][3]
Enterprise T1204 .001 User Execution: Malicious Link

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.[2][3]
.002 User Execution: Malicious File

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.[2][3]

Software

ID Name References Techniques
S0204 Briba [2] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Ingress Tool Transfer, System Binary Proxy Execution: Rundll32
S0203 Hydraq [2] Access Token Manipulation, Create or Modify System Process: Windows Service, Data from Local System, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Alternative Protocol, File and Directory Discovery, Indicator Removal: File Deletion, Indicator Removal: Clear Windows Event Logs, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, Shared Modules, System Information Discovery, System Network Configuration Discovery, System Service Discovery, System Services: Service Execution
S0211 Linfo [2] Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Fallback Channels, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Process Discovery, Scheduled Transfer, System Information Discovery
S0205 Naid [2] Create or Modify System Process: Windows Service, Modify Registry, System Information Discovery, System Network Configuration Discovery
S0210 Nerex [2] Create or Modify System Process: Windows Service, Ingress Tool Transfer, Modify Registry, Subvert Trust Controls: Code Signing
S0208 Pasam [2] Boot or Logon Autostart Execution: LSASS Driver, Data from Local System, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Process Discovery, System Information Discovery
S0012 PoisonIvy [2] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Mutual Exclusion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0207 Vasport [2] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Ingress Tool Transfer, Proxy
S0206 Wiarp [2] Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Ingress Tool Transfer, Process Injection

References

  1. Paganini, P. (2012, September 9). Elderwood project, who is behind Op. Aurora and ongoing attacks?. Retrieved February 13, 2018.
  2. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  1. Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.
  2. Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018.