A strategic cyber attack compromised the website of the the Veterans of Foreign Wars on Feb. 11. Online security firm FireEye investigated the attack and has enough reason to believe that perpetrators might have initiated the hack from China.
The VFW.org website recovered from the attack reported FireEye on Thursday. Upon investigation, the firm disclosed that perpetrators penetrated the system through a zero-day security flaw, a software problem that has no available fix, in Microsoft's Internet Explorer 10.
"We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend. Based on infrastructure overlaps and tradecraft similarities, we believe the actors behind this campaign are associated with two previously identified campaigns," stated the FireEye.
The exploit dubbed by FireEye as "Operation SnowMan" worked very similar to previous campaigns known as "Operation Ephemeral Hydra" and "Operation DeputyDog." Just like the other two attacks, the newest hack also incorporated a Flash object among other elements such as remote access Trojan (RAT) that will conceal the actors from the victim.
The latest attack on the VFW website loaded a code that embedded the website of the attacker under the real website. Unknowing personnel who used IE10 to access the website on Tuesday might have been compromised. The cybercriminals made use of a Trojan in order to penetrate computers and steal important information remotely.
"The compile date of the payload was 2014-02-11, and the last modified date of the exploit code was also 2014-02-11. This suggests that this instantiation of the exploit was very recent and was deployed for this specific strategic Web compromise of the Veterans of Foreign Wars website. A possible objective in the SnowMan attack is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website," FireEye added.
The cyber threat detection company also disclosed that the hackers have targeted U.S. government agencies, law firms, IT companies, Japanese corporations, NGOs and mining companies before. It also predicts that such activities might continue in the mid to long-term.
"We will take action to help protect customers," said Microsoft spokesperson Scott Whiteaker.
"Microsoft is aware of limited, targeted attacks against Internet Explorer 10. Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected. We will take the necessary steps to protect customers; meanwhile, we recommend customers upgrade to Internet Explorer 11 for added protection," a Microsoft spokesperson told Tech Times in an emailed statement.
Military personnel using IE 11 or those who installed the Experience Mitigation Toolkit (EMET) would have not been vulnerable to said attack.
The security firm has also pointed its fingers at Chinese hackers for attacks that targeted European governments prior to the G20 summit on September 2013.