Elderwood

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Elderwood, also known as the Elderwood Group or the Beijing Group, is a notable threat actor believed to be responsible for numerous high-profile cyber attacks and espionage campaigns. The group's activities date back to at least 2005-2006 and have been linked to various significant incidents, including "Operation Aurora," a successful attack in 2010 against Google and other organizations. The group's methods often involve exploiting zero-day vulnerabilities in widely used software like Internet Explorer and Adobe Flash Player, a strategy that has been named the "Elderwood Project" by Symantec. Notable technical links such as IP addresses, domain names, and malware signatures tie Elderwood to these attacks. Elderwood's typical approach involves spear-phishing, a technique where a seemingly legitimate email is sent to trick an employee into clicking an infected link or opening a malware-laden attachment, thereby creating a digital backdoor for the attackers. This method has been used in multiple campaigns, including an attack on Tibetan activists known as "GhostNet" in 2010, and a major hack of RSA, a cybersecurity firm based in Bedford, Massachusetts. Despite their visibility, Elderwood remains active, with their operations largely unimpeded due to jurisdictional constraints. Among the identifiable Chinese cyberespionage groups, Elderwood, along with the Comment Crew (also known as Comment Panda or the Shanghai Group), are the most prominent. While the two groups operate independently, they were both revealed by Dmitri Alperovitch during his tenure at McAfee in 2011. Despite Google's withdrawal from the Chinese market following Operation Aurora, Elderwood continues to thrive, infecting less secure sites with malware that downloads onto a user's computer upon interaction. As of today, Elderwood's cyber espionage activities remain as active as ever, highlighting the persistent threat they pose to global cybersecurity.
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AuroraUnspecified
2
Aurora is a notorious malware, also known as Operation Aurora, which first gained prominence in 2009 when it targeted major technology companies, including Google. The Storm-0558 group, associated with high-profile cloud provider compromises such as Operation Aurora and RSA SecureID, has been under
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Elderwood Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Stealing US business secrets: Experts ID two huge cyber 'gangs' in China
MITRE
a year ago
Elderwood project, who is behind Op. Aurora and ongoing attacks? - Security Affairs
CERT-EU
6 months ago
Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers