The hackers who breached the defenses of Google and at least 34 other big companies three years ago have unleashed a barrage of new attacks since then, many that exploit previously undocumented vulnerabilities in software from Microsoft and Adobe, a new report has found.

The number of victims affected, the duration of the campaign, and the difficulty of identifying and exploiting so-called zero-day vulnerabilities mean the resources required "could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself," the report (PDF), which was prepared by researchers from antivirus provider Symantec, concluded. Targets over the last three years have mainly been located in the defense, energy, and finance industries and educational and non-governmental organizations.

Most significant about the group is "seemingly an unlimited number of zero-day exploits," which refer to vulnerabilities in widely used software that are exploited before there's public knowledge that they exist. Using an infrastructure Symantec researchers have dubbed Elderwood—a name derived from a variable found in some of its software—the hackers have exploited four zero-day bugs this year alone, and evidence suggests the group has wielded another four zero-days over the past two years. The use of so many previously undocumented vulnerabilities indicates the group has an extremely high level of technical capability.

"In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications," the researchers wrote. "This effort would be substantially reduced if they had access to source code. The vulnerabilities are used as needed, often within close succession of each other if exposure of any of the vulnerabilities is imminent."

Update: Some security experts were skeptical of Symantec's conclusions. Finding and exploiting previously unknown vulnerabilities is a regular undertaking during penetration testing that's often carried out to success in a matter of hours or days.

"The fact that they use 0days isn't as big a deal as Symantec makes it out to be," said Rob Graham, CEO of penetration testing firm Errata Security. "We constantly find '0days' as part of pentests and use them against our customers. Just the other day, we used a 0day SQL injection bug in [popular manufacturer's name deleted] firewall to break into a customer."

There's no reason to think the attacks tracked by Symantec couldn't have been carried out by a much smaller operation with more modest resources, Graham said.

The group's attacks date back at least to early 2010 or late 2009, when it exploited a zero-day vulnerability in Microsoft's Internet Explorer browser to pierce the defenses of Google and other large companies. With their malware inside Google's network, the attackers siphoned source code and other intellectual property of the company. Few if any of the other victims confirmed they were hit, but researchers widely believe their digital assets were also appropriated en masse.

The trojan that was installed by the exploits was alternately known as Aurora and Hydraq. It used a certain type of obfuscation to cloak its malicious behavior. Symantec researchers have found that same obfuscation technique deployed in trojans that malware operators installed by exploiting zero-days discovered earlier this year in Adobe's Flash Player (cataloged as CVE-2012-0779) and Internet Explorer (CVE-2012-1875).

The researchers found additional attributes linking other exploits to the same actors, such as similarities in the command and control channels that infected computers contacted to receive instructions and software updates. Another link was the practice of compromising third-party websites that were frequently visited by the ultimate targets of the attacks, for example, manufacturers in the defense supply chain or the Hong Kong branch of Amnesty International that was regularly visited by non-governmental organizations.

Researchers have dubbed this approach "watering hole" attacks, and say they're "similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him."

The researchers noticed that many of these watering hole attacks used more than one zero-day exploit. What's more, the timing of these changes was suspicious. As soon as one zero-day exploit was identified, it would be replaced by one that had yet to be discovered. Other similarities included the malicious executable files used and the encryption in booby-trapped documents sent to victims in e-mail.

Perhaps the biggest link is the Elderwood platform. It included a document creation kit that made it easy to bundle specific exploit code and a specific piece of malware and embed it into an otherwise clean document file. Elderwood also included a shared Adobe Flash file that created the precise conditions in a targeted computer's memory required for an exploit to be successful. Other possible components may be tools for the automated creation of website accounts and registration of domain names, and an analysis platform for the huge amounts of data that is pilfered.

APTs: Not your father's hack attack

Google's disclosure in 2010 that it and more than a dozen other sensitive companies were penetrated by the sophisticated attackers cemented the security industry's use of the phrase advanced persistent threat. Although many, this reporter included, once viewed it as a largely meaningless buzz phrase, APTs are useful in distinguishing these types of attacks from more common crime-motivated exploits. The chief difference is this: crime-based attacks, which use malware to obtain online banking passwords or credit card data, are opportunistic, so they're directed at everyone. Defending against them mainly involves having security that's better than other people on the Internet.

APTs, by contrast, are directed at a specific person or organization that has unique assets. If attackers don't succeed against a specific target with one campaign, they'll direct a new campaign at the same target and hope for better results. They will repeat the process until they succeed. That makes defending against such attacks significantly harder.

Friday's report from Symantec, which showed that the same attackers who pierced the defenses of Google three years ago are using a virtually unlimited supply of zero-days to penetrate new victims, only bolsters the view that APTs are a serious problem with no easy solutions.

Story updated to change headline and add comments from researchers.