In most cases, Elderwood uses a convincing "spear-phishing" fake e-mail to fool an employee into clicking an infected e-mailed link or into opening a Trojan software-infected attachment that creates a digital backdoor for the cyberspies. In many cases, these attacks have utilized costly "zero-day" malware that takes advantage of a previously unknown flaw against which no defense exists. Such technology would sell for at least six figures on the cyber black market, leading many to conclude the group is exceedingly well funded.
Lately, however, Elderwood has taken to infecting legitimate websites frequented by employees of the target company – a so-called "water hole" attack, just as lions stake out a watering hole for their prey. Elderwood infects these less-secure sites with malware that downloads to a computer that clicks on the site. After that, the gang snoops inside the network to which the infected computer is connected, finding and finally downloading executives' e-mails and critical documents on company plans, decisions, acquisitions, and product designs.
"Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property," Symantec reports. "The resources required to identify and acquire useful information – let alone analyze that information – could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself."
This sort of activity is hardly unknown to US cybersecurity experts, who have long dubbed it the "advanced persistent threat" – a euphemism taken to mean espionage threats originating from China. Mr. Stewart of Dell Secureworks has traced the activity of the Elderwood Gang (which he calls the Beijing Group) and the Comment Crew (which he calls the Shanghai Group) back to 2005-2006. He says they are responsible for perhaps 90 percent of all economic espionage against the US today.
"Both groups surface time and again in different reports you read," he says. "Someone discovers some malware and gives it a snazzy name. But it's all the same activity underneath."