Skip to content

G0066 Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. 1 The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. 2 3

Item Value
ID G0066
Associated Names Elderwood Gang, Beijing Group, Sneaky Panda
Version 1.2
Created 18 April 2018
Last Modified 02 March 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Elderwood Gang 2 3
Beijing Group 3
Sneaky Panda 3

Techniques Used

Domain ID Name Use
enterprise T1189 Drive-by Compromise Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.231
enterprise T1203 Exploitation for Client Execution Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.2
enterprise T1105 Ingress Tool Transfer The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.4
enterprise T1027 Obfuscated Files or Information Elderwood has encrypted documents and malicious executables.2
enterprise T1027.002 Software Packing Elderwood has packed malware payloads before delivery to victims.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.23
enterprise T1566.002 Spearphishing Link Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.23
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.23
enterprise T1204.002 Malicious File Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.23

Software

ID Name References Techniques
S0204 Briba 2 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Ingress Tool Transfer Rundll32:System Binary Proxy Execution
S0203 Hydraq 2 Access Token Manipulation Windows Service:Create or Modify System Process Data from Local System Symmetric Cryptography:Encrypted Channel Exfiltration Over Alternative Protocol File and Directory Discovery File Deletion:Indicator Removal Clear Windows Event Logs:Indicator Removal Ingress Tool Transfer Modify Registry Obfuscated Files or Information Process Discovery Query Registry Screen Capture Shared Modules System Information Discovery System Network Configuration Discovery System Service Discovery Service Execution:System Services
S0211 Linfo 2 Windows Command Shell:Command and Scripting Interpreter Data from Local System Fallback Channels File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Process Discovery Scheduled Transfer System Information Discovery
S0205 Naid 2 Windows Service:Create or Modify System Process Modify Registry System Information Discovery System Network Configuration Discovery
S0210 Nerex 2 Windows Service:Create or Modify System Process Ingress Tool Transfer Modify Registry Code Signing:Subvert Trust Controls
S0208 Pasam 2 LSASS Driver:Boot or Logon Autostart Execution Data from Local System File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Process Discovery System Information Discovery
S0012 PoisonIvy 2 Application Window Discovery Active Setup:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0207 Vasport 2 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Ingress Tool Transfer Proxy
S0206 Wiarp 2 Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Ingress Tool Transfer Process Injection

References