Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]

ID: G0066
Associated Groups: Elderwood Gang, Beijing Group, Sneaky Panda
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 1.1
Created: 18 April 2018
Last Modified: 30 March 2020

Associated Group Descriptions

Name Description
Elderwood Gang [2] [3]
Beijing Group [3]
Sneaky Panda [3]

Techniques Used

Domain ID Name Use
Enterprise T1189 Drive-by Compromise

Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.[2][3][1]

Enterprise T1203 Exploitation for Client Execution

Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.[2]

Enterprise T1105 Ingress Tool Transfer

The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[4]

Enterprise T1027 Obfuscated Files or Information

Elderwood has encrypted documents and malicious executables.[2]

.002 Software Packing

Elderwood has packed malware payloads before delivery to victims.[2]

Enterprise T1566 .002 Phishing: Spearphishing Link

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.[2][3]

.001 Phishing: Spearphishing Attachment

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.[2][3]

Enterprise T1195 Supply Chain Compromise

Elderwood has targeted manufacturers in the supply chain for the defense industry.[2]

Enterprise T1204 .002 User Execution: Malicious File

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.[2][3]

.001 User Execution: Malicious Link

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.[2][3]

Software

ID Name References Techniques
S0204 Briba

[2]

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Commonly Used Port, Create or Modify System Process: Windows Service, Ingress Tool Transfer, Signed Binary Proxy Execution: Rundll32
S0203 Hydraq

[2]

Access Token Manipulation, Create or Modify System Process: Windows Service, Data from Local System, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Alternative Protocol, File and Directory Discovery, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, Shared Modules, System Information Discovery, System Network Configuration Discovery, System Service Discovery, System Services: Service Execution
S0211 Linfo

[2]

Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Process Discovery, Scheduled Transfer, System Information Discovery
S0205 Naid

[2]

Commonly Used Port, Create or Modify System Process: Windows Service, Modify Registry, System Information Discovery, System Network Configuration Discovery
S0210 Nerex

[2]

Create or Modify System Process: Windows Service, Ingress Tool Transfer, Modify Registry, Subvert Trust Controls: Code Signing
S0208 Pasam

[2]

Boot or Logon Autostart Execution: LSASS Driver, Commonly Used Port, Data from Local System, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Process Discovery, System Information Discovery
S0012 PoisonIvy

[2]

Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0207 Vasport

[2]

Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Ingress Tool Transfer, Proxy
S0206 Wiarp

[2]

Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Ingress Tool Transfer, Process Injection

References