Elderwood

Elderwood, also known as the Elderwood Group or the Beijing Group, is a notable threat actor believed to be responsible for numerous high-profile cyber attacks and espionage campaigns. The group's activities date back to at least 2005-2006 and have been linked to various significant incidents, including "Operation Aurora," a successful attack in 2010 against Google and other organizations. The group's methods often involve exploiting zero-day vulnerabilities in widely used software like Internet Explorer and Adobe Flash Player, a strategy that has been named the "Elderwood Project" by Symantec. Notable technical links such as IP addresses, domain names, and malware signatures tie Elderwood to these attacks. Elderwood's typical approach involves spear-phishing, a technique where a seemingly legitimate email is sent to trick an employee into clicking an infected link or opening a malware-laden attachment, thereby creating a digital backdoor for the attackers. This method has been used in multiple campaigns, including an attack on Tibetan activists known as "GhostNet" in 2010, and a major hack of RSA, a cybersecurity firm based in Bedford, Massachusetts. Despite their visibility, Elderwood remains active, with their operations largely unimpeded due to jurisdictional constraints. Among the identifiable Chinese cyberespionage groups, Elderwood, along with the Comment Crew (also known as Comment Panda or the Shanghai Group), are the most prominent. While the two groups operate independently, they were both revealed by Dmitri Alperovitch during his tenure at McAfee in 2011. Despite Google's withdrawal from the Chinese market following Operation Aurora, Elderwood continues to thrive, infecting less secure sites with malware that downloads onto a user's computer upon interaction. As of today, Elderwood's cyber espionage activities remain as active as ever, highlighting the persistent threat they pose to global cybersecurity.