Elderwood

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Elderwood, also known as the Elderwood Group or the Beijing Group, is a notable threat actor believed to be responsible for numerous high-profile cyber attacks and espionage campaigns. The group's activities date back to at least 2005-2006 and have been linked to various significant incidents, including "Operation Aurora," a successful attack in 2010 against Google and other organizations. The group's methods often involve exploiting zero-day vulnerabilities in widely used software like Internet Explorer and Adobe Flash Player, a strategy that has been named the "Elderwood Project" by Symantec. Notable technical links such as IP addresses, domain names, and malware signatures tie Elderwood to these attacks. Elderwood's typical approach involves spear-phishing, a technique where a seemingly legitimate email is sent to trick an employee into clicking an infected link or opening a malware-laden attachment, thereby creating a digital backdoor for the attackers. This method has been used in multiple campaigns, including an attack on Tibetan activists known as "GhostNet" in 2010, and a major hack of RSA, a cybersecurity firm based in Bedford, Massachusetts. Despite their visibility, Elderwood remains active, with their operations largely unimpeded due to jurisdictional constraints. Among the identifiable Chinese cyberespionage groups, Elderwood, along with the Comment Crew (also known as Comment Panda or the Shanghai Group), are the most prominent. While the two groups operate independently, they were both revealed by Dmitri Alperovitch during his tenure at McAfee in 2011. Despite Google's withdrawal from the Chinese market following Operation Aurora, Elderwood continues to thrive, infecting less secure sites with malware that downloads onto a user's computer upon interaction. As of today, Elderwood's cyber espionage activities remain as active as ever, highlighting the persistent threat they pose to global cybersecurity.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Comment Crew	1	Comment Crew, also known as APT1 or Unit 61398, is a significant threat actor attributed to China's People's Liberation Army (PLA) General Staff Department’s 3rd Department. The group has been active since at least 2005-2006, as traced by Mr. Stewart of Dell Secureworks. Among the myriad of Chinese
Beijing Group	1	None
Comment Panda	1	Comment Panda, also known as Sneaky Panda, Comment Crew, and APT1, is a threat actor associated with Unit 61398 of the People's Liberation Army in China. The term "threat actor" refers to a human entity that executes actions with malicious intent, which could be an individual, a private company, or
Ghostnet	1	GhostNet, a threat actor identified as a significant cybersecurity concern, was uncovered in 2009 as a cyber espionage operation that infiltrated computers across 103 countries. The operation demonstrated the vulnerability of government agencies and embassies worldwide to targeted cyber attacks. In

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Phishing

Trojan

Malware

Espionage

Symantec

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Aurora	Unspecified	2	Aurora is a type of malware designed to exploit and damage computer systems, often through suspicious downloads, emails, or websites. It has been used in a series of high-profile cyber-attacks over the years, with notable instances such as Operation Aurora in 2009, which targeted major technology co
Operation Aurora	Unspecified	1	Operation Aurora, also known as APT17, is a notorious malware operation that began in 2009 and is considered one of the most sophisticated cyberattacks ever conducted. It specializes in supply chain attacks, which are attempts to damage an organization by targeting less-secure elements in its supply

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Elderwood Gang	Unspecified	1	None

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Elderwood Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	9 months ago	Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
MITRE	a year ago	Elderwood project, who is behind Op. Aurora and ongoing attacks? - Security Affairs
MITRE	a year ago	Stealing US business secrets: Experts ID two huge cyber 'gangs' in China