>samit_hota
Back to adversary profiles
G0066HighDormant

Threat Actor Profile: Elderwood (G0066)

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Intellectual Property Theft
Aliases
Elderwood Gang, Beijing Group, Sneaky Panda
Target Sectors
Defense, Supply Chain, Human Rights, NGOs, IT Service Providers, Shipping, Aeronautics, Arms, Energy, Manufacturing, Engineering, Electronics, Financial, Software
Associated Malware
Hydraq (Aurora) Trojan, Ritsol, Backdoor.Naid, Backdoor.Linfo
#threat-actor#g0066

Overview

Elderwood, also known by aliases such as Elderwood Gang, Beijing Group, and Sneaky Panda (MITRE ATT&CK ID: G0066), stands out as a highly sophisticated and resource-rich cyber espionage group. We assess with high confidence that this group originates from China, with strong indications of state sponsorship, and their operations have historically been aligned with intelligence gathering for national interests. Their primary motivation is the wholesale theft of intellectual property and sensitive intelligence from targeted organizations.

The group gained notoriety for its involvement in the infamous 2009 Google intrusion, dubbed “Operation Aurora,” which set a new precedent for advanced persistent threats (APTs). Elderwood systematically targets a broad spectrum of sectors critical to national security and economic advantage. These include, but are not limited to, defense organizations, their extensive supply chain manufacturers, human rights and non-governmental organizations (NGOs), and IT service providers. Beyond these, they’ve also demonstrated interest in shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software industries. The group’s operations highlight a sustained and patient approach to achieve their strategic objectives.

Tactics & Techniques

Elderwood’s operational methodology demonstrates a mastery of targeted attack vectors, primarily leveraging highly effective spear-phishing campaigns and sophisticated watering hole attacks. For spear-phishing, they deliver zero-day exploits and malware via targeted emails containing malicious attachments or links to compromised content.

Their watering hole attacks are particularly noteworthy for their strategic precision. Elderwood would meticulously identify legitimate public websites frequently visited by their ultimate targets within specific sectors – for example, industry forums for defense contractor employees, or sites relevant to human rights activists. Once a suitable watering hole was identified, the group would compromise the website, often through vulnerabilities like SQL injection, and inject malicious JavaScript containing an iframe that silently redirected visitors to an exploit server. When a susceptible target browsed the compromised site, a zero-day exploit would fire automatically in their browser, leading to system compromise and malware delivery. This approach allowed them to passively ensnare specific victims without direct interaction, sometimes maintaining persistent access to these compromised sites for months before activating the attack.

A hallmark of Elderwood’s tactics is their seemingly inexhaustible supply and rapid deployment of zero-day vulnerabilities. Between 2010 and 2014, they were responsible for deploying at least 11 distinct zero-day exploits, predominantly targeting common client-side software like Microsoft Internet Explorer and Adobe Flash. This capability is indicative of significant resources, either through in-house development by highly skilled individuals or through the acquisition of exploits from third-party brokers. They utilized techniques such as exploitation for client execution and drive-by compromise to gain initial access. Once initial access was established, they employed ingress tool transfer to introduce further malicious payloads. To evade detection, Elderwood also employed obfuscation techniques, including software packing and encrypting both documents and malicious executables.

Notable Campaigns

Elderwood is synonymous with some of the most impactful cyber incidents of the past two decades:

  • Operation Aurora (2009): This watershed event publicly exposed Elderwood’s capabilities. Targeting Google, Adobe Systems, Akamai Technologies, Juniper Networks, Rackspace, and reportedly Yahoo, Symantec, Northrop Grumman, Morgan Stanley, and Dow Chemical, the operation successfully exfiltrated Google’s source code and accessed Gmail accounts of Chinese dissidents. The fallout was significant, leading to a diplomatic incident between the U.S. and China and Google’s public consideration of withdrawing from the Chinese market.
  • Bit9 Supply Chain Attack (2012-2013): This operation was a sophisticated precursor to many modern supply chain attacks. Elderwood compromised Bit9 (now Carbon Black), a security firm providing application whitelisting solutions to U.S. defense contractors. The attackers leveraged SQL injection to breach Bit9’s internal network, subsequently stealing code-signing certificates. These stolen certificates were then used to sign malicious files, making them appear legitimate and enabling their deployment into the networks of Bit9’s defense contractor clientele, effectively using a trusted vendor as a vector to reach high-value targets.
  • US Veterans of Foreign Wars (VFW) Website Compromise (2014): In February 2014, the official website for the U.S. Veterans of Foreign Wars (vfw.org) was compromised. This watering hole attack delivered a zero-day exploit (CVE-2014-0322) affecting Internet Explorer versions 9 and 10, specifically targeting U.S. military personnel likely to visit the site. This demonstrated Elderwood’s continued reliance on zero-days and strategic targeting of personnel.

Associated Malware & Tools

Elderwood’s operations have consistently relied on a sophisticated and evolving toolkit, underpinned by what’s referred to as the “Elderwood platform”. This modular and shared exploit framework was notable for being one of the first documented cases of multiple distinct APT subgroups leveraging the same technical infrastructure. The platform comprises components like a Document Creation Kit, which automates the weaponization of clean documents with exploit code and payloads, and a shared ShockWave Flash (SWF) file designed to handle memory conditions and payload delivery across various exploits.

Key malware families associated with Elderwood include:

  • Hydraq (Aurora) Trojan (MITRE ID: S0203): This fully-featured backdoor served as the anchor malware for the Operation Aurora campaign. Hydraq’s capabilities included creating Windows services for persistence, clearing event logs, conducting extensive process and system discovery, manipulating the registry, capturing screens via VNC-style streaming, and exfiltrating data over port 443 with obfuscated traffic.
  • Ritsol backdoor trojan: This malware provides remote file download capabilities to compromised hosts.
  • Backdoor.Naid: Another backdoor trojan frequently observed in Elderwood’s operations, particularly those linked to Aurora.
  • Backdoor.Linfo: This backdoor was notably used in attacks dating back to 2012 and was again observed being dropped via a CVE-2014-0324 exploit in 2014.

Current Status

Elderwood’s most prominent and publicly documented cyber espionage campaigns, characterized by distinct named operations and heavy reliance on their unique “Elderwood platform” for zero-day deployment, largely peaked in the early to mid-2010s. The last significant activity directly attributed to Elderwood under its specific moniker or aliases concluded around 2014, with Symantec reporting on the continued use of the “Elderwood platform” by multiple, distinct attack groups.

Since 2014, direct public reporting on new, named Elderwood (G0066) campaigns has become scarce. While the technical capabilities and personnel associated with such a sophisticated state-sponsored group likely remain active, their activities may have evolved, rebranded under different group names, or merged into broader operational structures. Therefore, as a distinct, named threat actor, Elderwood (G0066) appears to be dormant, with no new campaigns publicly attributed to this specific entity in recent years. However, this does not imply the cessation of the underlying capabilities or the individuals responsible for these past intrusions.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call