Elderwood Platform

The Elderwood Platform is the name given to a set of zero day exploits that is either used within a large organization or sold as a package to many attackers. The Elderwood platform was discovered by Symantec in 2009-2012, following the actor’s 2009 compromise of Google with the Trojan.Hydraq / Hydraq Trojan . It is not clear whether Elderwood is a single criminal group that distributes its platform or if it is part of a major organization that distributes its platform to its subdivisions. In the former scenario, the Elderwood distributor may preferentially sell its platform to separate criminal entities at the same time. In most cases, the “buyers” receive the exploit around the same time. This could be an operational choice on behalf of the seller, a systematic choice (i.e. the “seller” sells once they find an exploit), or a procedure meant to obfuscate the activities of any one “buyer.” In the latter scenario, Symantec theorizes that a parent organization may distribute the Elderwood project and it may task its subdivisions with targeting particular industries or sectors. Each subgroup then utilizes their own infrastructure to stage the attacks using the shared platform.

Zero day exploits are rare and valuable and the Elderwood platform relies upon zero day exploits to compromise its victims. Somehow the Elderwood platform has consistently been updated with new zero-day exploits since 2009. In fact, no other actor has been able to obtain and utilize as many zero-day exploits as the actor behind the Elderwood platform. This suggests that either the actor behind the Elderwood platform has a highly sophisticated technical team that is capable of farming zero-day exploits or that Elderwood project is funded by a criminal organization or state sponsor that possess significant resources. Unless the technical team that farms the exploits is paid an extremely high sum, neither theory explains why the exploits do not appear on underground markets until long after Elderwood has used the exploit.

A hybrid theory is possible. Perhaps the Elderwood group sells their platform to a third party for one reason or another, and that party then resells the platform to smaller groups. The hybrid model could explain how the Elderwood platform continues to utilize new and unique zero-day exploits because an exploit could be sold whenever the group feels that it has served its purpose and then they can purchase new exploits using the money received from selling the previous exploit to numerous other buyers. Alternately, perhaps a simpler solution exists. Zero- day exploits are juicy pieces of information. It is possible that Elderwood activity attracts the notice of other groups who watch the attacks and reverse engineer the exploits. The lower tier attackers would need inside knowledge of Elderwood activity and they would have to outpace cybersecurity response teams, else the exploits would be of little value.

In recent years, other notable campaigns have utilized the Elderwood platform or its exploits. Hidden Lynx used internet explorer exploits and its ZXshell backdoor in attacks against the defense industry. Vidgrab exploited internet explorer to install the vidgrab backdoor on systems belonging to Japanese users and it exploited Adobe flash to install the Jolob backdoor on systems belonging to Uyghur dissidents. Icefog exploited both Adobe Flash and Internet Explorer to install the Linfo and Hormesu backdoors respectively on systems in the manufacturing industry. Sakurel used multiple Internet Explorer exploits and an Adobe Flash exploit to compromise Aerospace engine manufacturer systems with the Sakurel Trojan.

The Elderwood platform is used against targets in a large number of sectors. Most frequently, the Elderwood platform is employed against organizations involved in defense, defense supply chain manufacturing, IT, and Human Rights. Organizations are attacked through watering hole attacks, spear phishing emails, and web exploits. Symantec believes that it is possible that manufacturers and tangential sector organizations and sites are compromised to target top tier primary targets. In this case, organizations in Manufacturing, Engineering, Electronic, Energy, Arms, Shipping or Aeronautics industries may be targeted as stepping stones to compromise Defense organizations. Additionally, Software or Financial firms might be targeted so the attacker can compromise NGOs.

The Elderwood platform predominantly targets United States organizations. Firms in Canada, China, Hong Kong, and Australia have also been frequently targeted. Organizations based in Taiwan, United Kingdom, Switzerland, India, and Denmark have been sporadically targeted. Victims are targeted for information and intellectual property contained on their systems. The lack of theft of financial information complicates the actor profile because a mercenary distributor is less likely to steal nation-state information over financial information. One could argue that information is stolen with the Elderwood platform to assist in other breaches; however, a mercenary group would likely not be able to analyze information as rapidly as had the Elderwood group.

Between 2009 and 2014, the Elderwood platform has featured numerous Adobe Flash and Internet Explorer zero-day exploits. Adobe Flash and Internet Explorer are notoriously vulnerable applications. Typically, Adobe Flash, Internet Explorer, or both are present on a system. The attack platform also contains a document creation kit which enables the attacker to combine a clean document with a Trojan of their choice to create a malicious document. These documents are then used in spear phishing campaigns. The platform also contains a Shockwave Flash file that ensures that Trojans are downloaded onto target machines in the correct locations. The platform could contain information gathering tools such as keyloggers, automated domain name and account generators, and an information analysis platform.

Type: Cyberespionage/ Cyber-mercenary

Status: Inactive

Other Names: Sneaky Panda/ Beijing Group/ Operation Aurora

Active Since/Discovered: 2009/ 2012

Targets: Predominantly US Organizations. Others in Taiwan, United Kingdom, Switzerland, India, and Denmark

Target Sectors: Defense, defense supply chain manufacturing, IT, Human Rights organizations, Manufacturing, Engineering, Electronic, Energy, Arms, Shipping or Aeronautics industries


  • Elderwood Platform
    • Includes a document trojanization tool
    • Contains information gathering tools such as keyloggers, automated domain name and account generators, and an information analysis platform
  • Hydraq

Preferred Attack Vector: 0-day exploits, spear-phishing


      • Known for its excessive use of exclusive 0-day exploits
      • Connected to Comment Crew (Shanghai Group)
      • Licenses, sells, or distributes its platform to other groups
        • This obfuscates their activity