A suspected Chinese espionage group compromised popular media site Forbes.com in November 2014 in an operation designed to infect computers at companies in the financial and defense industries, according to a report published on Feb. 10 by security firms Invincea and iSIGHT Partners.
The attack infected Forbes.com's “Thought of the Day” Adobe Flash widget and configured it to serve up malicious code to visitors from targeted Internet addresses. The security firms detected evidence of the attack on Nov. 28, 2014, and Forbes removed the malicious file on Dec. 1.
While the attack could have infected millions of visitors during those three days, the operation focused on attacking specific victims at companies in the financial and defense sectors, Stephen Ward, senior director for iSIGHT Partners, told eWEEK.
“Did they want to go after the site’s 20 or 30 million visitors? No,” he said. “This is cyber-espionage, so it was a targeted attack. It is not cybercrime where they are trying to steal people’s banking credentials.”
The security firms do not know the criteria by which companies were selected by the espionage group behind the attacks. However, users from the targeted companies who visited Forbes.com during those three days were attacked via a zero-day Adobe Flash vulnerability.
On more modern Windows systems, the exploit was paired with a previously unknown flaw in Microsoft’s Internet Explorer that allowed the malicious code to bypass software defenses present in Windows Vista and later versions of the operating system. Adobe fixed the Flash vulnerability on Dec. 9, while Microsoft fixed the Internet Explorer flaw on Feb. 10.
If the exploits worked, victims would have had a variant of the Derusbi Trojan—malware common to Chinese espionage operations—installed on their machines. The group also used command-and-control infrastructure common to Chinese groups that had compromised three other Websites that focused on nonprofit groups of interest to the Chinese government, according to an analysis by iSIGHT Partners.
The choice of malware, the command-and-control infrastructure and the targets of other watering-hole sites in the same campaign suggested strongly that the attackers are part of a Chinese espionage group known as Codoso, iSIGHT Partners’ analysis stated.
Forbes acknowledged the attack and confirmed that a file had been changed on its Web server infrastructure, but stressed that there was little evidence of any further breach.
“On Dec. 1, 2014, Forbes discovered that on Nov. 28, 2014, a file had been modified on a system related to the Forbes web site,” the company said in a statement sent to eWEEK. “The file was immediately reverted and an investigation by Forbes into the incident began.”
To date, the investigation has found no evidence of any additional compromise of Forbes' system and no data was exfiltrated by the attackers, the company stated.
The Codoso group has been operating since at least 2010 and typically targets companies in the defense, finance and energy sectors as well as government agencies, political dissidents and policy groups, according to iSIGHT Partners.