Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]

ID: G0066
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.

Version: 1.0

Associated Group Descriptions

NameDescription
Elderwood Gang[2] [3]
Beijing Group[3]
Sneaky Panda[3]

Techniques Used

DomainIDNameUse
EnterpriseT1189Drive-by CompromiseElderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.[2][3][1]
EnterpriseT1203Exploitation for Client ExecutionElderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.[2]
EnterpriseT1027Obfuscated Files or InformationElderwood has encrypted documents and malicious executables.[2]
EnterpriseT1105Remote File CopyThe Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[4]
EnterpriseT1045Software PackingElderwood has packed malware payloads before delivery to victims.[2]
EnterpriseT1193Spearphishing AttachmentElderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.[2][3]
EnterpriseT1192Spearphishing LinkElderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.[2][3]
EnterpriseT1195Supply Chain CompromiseElderwood has targeted manufacturers in the supply chain for the defense industry.[2]
EnterpriseT1204User ExecutionElderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links and attachments.[2][3]

Software

IDNameReferencesTechniques
S0204Briba[2]Commonly Used Port, New Service, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32
S0203Hydraq[2]Access Token Manipulation, Custom Cryptographic Protocol, Data from Local System, Execution through Module Load, Exfiltration Over Alternative Protocol, File and Directory Discovery, File Deletion, Indicator Removal on Host, Modify Registry, New Service, Obfuscated Files or Information, Process Discovery, Query Registry, Remote File Copy, Screen Capture, Service Execution, System Information Discovery, System Network Configuration Discovery, System Service Discovery
S0211Linfo[2]Command-Line Interface, Data from Local System, Fallback Channels, File and Directory Discovery, File Deletion, Process Discovery, Remote File Copy, Scheduled Transfer, System Information Discovery
S0205Naid[2]Commonly Used Port, Custom Command and Control Protocol, Modify Registry, New Service, System Information Discovery, System Network Configuration Discovery
S0210Nerex[2]Code Signing, Modify Registry, New Service, Remote File Copy
S0208Pasam[2]Commonly Used Port, Data from Local System, File and Directory Discovery, File Deletion, LSASS Driver, Process Discovery, Remote File Copy, System Information Discovery
S0012PoisonIvy[2]Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port
S0207Vasport[2]Connection Proxy, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol
S0206Wiarp[2]Command-Line Interface, Commonly Used Port, New Service, Process Injection, Remote File Copy

References