The Elderwood Platform is the name given to a set of zero day exploits that is either used within a large organization or sold as a package to many attackers. The Elderwood platform was discovered by Symantec in 2009-2012, following the actor’s 2009 compromise of Google with the Trojan.Hydraq / Hydraq Trojan . It is not clear whether Elderwood is a single criminal group that distributes its platform or if it is part of a major organization that distributes its platform to its subdivisions. In the former scenario, the Elderwood distributor may preferentially sell its platform to separate criminal entities at the same time. In most cases, the “buyers” receive the exploit around the same time. This could be an operational choice on behalf of the seller, a systematic choice (i.e. the “seller” sells once they find an exploit), or a procedure meant to obfuscate the activities of any one “buyer.” In the latter scenario, Symantec theorizes that a parent organization may distribute the Elderwood project and it may task its subdivisions with targeting particular industries or sectors. Each subgroup then utilizes their own infrastructure to stage the attacks using the shared platform.
Zero day exploits are rare and valuable and the Elderwood platform relies upon zero day exploits to compromise its victims. Somehow the Elderwood platform has consistently been updated with new zero-day exploits since 2009. In fact, no other actor has been able to obtain and utilize as many zero-day exploits as the actor behind the Elderwood platform. This suggests that either the actor behind the Elderwood platform has a highly sophisticated technical team that is capable of farming zero-day exploits or that Elderwood project is funded by a criminal organization or state sponsor that possess significant resources. Unless the technical team that farms the exploits is paid an extremely high sum, neither theory explains why the exploits do not appear on underground markets until long after Elderwood has used the exploit.