US nuclear weapons researchers targeted with Internet Explorer virus
The party responsible for the recently discovered security flaw in the IE 8 browser has yet to be identified, but researchers believe hackers employed a watering-hole attack to specifically target US government employees and contractors who browse a website regularly frequented by staffers in the nuclear sector.
Microsoft confirmed on Friday the existence of a zero-day code-execution exploit in IE 8 that, if not fixed, could allow hackers to install malware on a victim’s machine by employing so-called “drive-by attacks.” Indeed, the flaw was discovered only after an unknown number of computers became infected with a backdoor Trojan that was reportedly installed on the machines of web surfers who used IE 8 to navigate to a specific page on the US Department of Labor website.
“The Department of Labor site was rigged to redirect users to another site that infected computers with an iteration of the infamous ‘Poison Ivy’ Trojan, which was able to avoid detection by all but two major anti-virus products,” Ben Weitzenkorn wrote Monday for TechNews Daily.
According to Microsoft, "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.”
"An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” the company said.
Researchers aren’t sure yet who exploited the flaw and are still assessing any damages incurred by the issue, but they have managed to identify the single Department of Labor webpage that was compromised by hackers: the DoL’s Site Exposure Matrices (SEM) page, described by the agency as “a repository of information on toxic substances present at Department of Energy (DOE) and Radiation Exposure Compensation Act (RECA) sites.” The SEM page contains information about the links between toxic substances and recognized occupational illnesses, and was designed to be used by staffers routinely exposed to nuclear elements and other hazardous materials.
"The target of this attack appears to be employees of the Dept of Energy that likely work in nuclear weapons research," security company Invincea announced on their blog.
Speaking to NextGov, Invincea founder and former Defense Advanced Research Projects Agency program manager Anup Ghosh said, "We can infer the target of the attack are [Energy Department] folks in a watering hole style attack compromising one federal department to attack another.”
Suspects have yet to be identified, but watering hole attacks targeting specific groups of victims have been routinely used by state-sponsored cybercriminals in the past. Security firm AlienVault added that they believe the attack was carried out by "DeepPanda," a group of hackers alleged to have previously engaged in cyber espionage on behalf of the Chinese government.
Separate from the exploit, the Pentagon released on Monday a 92-page report, the 2013 “Military and Security Developments Involving the People’s Republic of China,” which discusses in detail the potential cybercrimes that could attack US computers courtesy of the Far East.
The Labor Department has since taken the SEM page down, but the damage may indeed have already been done. Although the exploit in IE was only discovered last week, security firm CrowdStrike said its research led them to believe the campaign started in March and infected victims in 37 countries, including primarily machines in the US. Only computers that used version 8 of Internet Explorer and Windows XP, Windows Vista and Windows 7 to navigate to the SEM page were vulnerable, but IE is the most widely used browser in America with a market share of roughly 42 percent, according to StatCounter’s April 2013 analysis.