Today, 2-1/2 years later, Google has abandoned the Chinese market, but Elderwood is alive and doing quite well, its cyberspies busy as ever, the Symantec analysis shows. Second-tier defense industry suppliers that make electronic or mechanical components for top defense companies are the gang's specialty. Those firms then become a cyber "stepping stone to gain access to top-tier defense contractors," the report says.
But Elderwood's appetite for information is broad and its capacity far larger than the defense industry alone. So, in at least eight major "campaigns" in less than two years, the gang has slipped into the networks of US shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and, of course, software companies, Symantec reports.
In most cases, Elderwood uses a convincing "spear-phishing" fake e-mail to fool an employee into clicking an infected e-mailed link or into opening a Trojan software-infected attachment that creates a digital backdoor for the cyberspies. In many cases, these attacks have utilized costly "zero-day" malware that takes advantage of a previously unknown flaw against which no defense exists. Such technology would sell for at least six figures on the cyber black market, leading many to conclude the group is exceedingly well funded.
Lately, however, Elderwood has taken to infecting legitimate websites frequented by employees of the target company – a so-called "water hole" attack, just as lions stake out a watering hole for their prey. Elderwood infects these less-secure sites with malware that downloads to a computer that clicks on the site. After that, the gang snoops inside the network to which the infected computer is connected, finding and finally downloading executives' e-mails and critical documents on company plans, decisions, acquisitions, and product designs.