The hackers who hijacked a U.S. Labor Department website were asinterested in gathering data for their next attack as they were instealing information from their victims, security experts say.
The attack, reported last week, started with compromising theweb server that ran the site and then inserting a malware payloadthat would be decoded when a visitor's browser attempted torender specific Web pages. The exploit targeteda previously unknown vulnerability on Microsoft's InternetExplorer 8.
Experts believe the attack targeted government employeesinvolved in developing nuclear weapons. That's because thehijacked pages contained information on nuclear-related illnesseslinked to Energy Department facilities, where such employees wouldhave worked.
After analyzing the malware, Cisco security pros said Friday theattackers appeared to have two motives: Infiltrate governmentnetworks and gather information from the computers compromisedinitially in order to prepare for future attacks.
For example, the malware would send back to thecommand-and-control (C&C) server information on the securitytechnology installed, including the antivirus software, as well asclient applications known to have a lot of vulnerabilities.Examples of such software would include Adobe Flash or Java.
"Whatever attacker was behind this attack, they probablyintended to come back," said Craig Williams, technical leaderfor Cisco's Security Intelligence Operations. "They'renot gathering this information and sending it home for noreason."
Once the hackers got this information, they could use it to testfuture malware to make sure it could exploit the vulnerabilitieswithout being detected, Williams said. This level ofreconnaissance, while not unheard of, is unusual.
"It's pretty advanced that they're thinking about[returning]," Williams said. "Years ago, this would havebeen completely unheard of."
The attack on the Labor Department site was also highlytargeted. The attackers' malware only worked on IE8 running onWindows XP computers, an indication that they knew their targetsused those types of systems.
Microsoft releaseda temporary fix on Wednesday for the zero-day vulnerabilityexploited.
What Cisco does not know is how the attackers compromised theweb server to begin with. Somehow, the attackers had to get theprivilege necessary to run the script that would load the malware,which was a variant of a remote administration program calledPoison Ivy.
In general, attacks that bypass security software installed onthe desktop or notebook are examples of how companies needadditional technology to protect their networks. An example issoftware capable of spotting abnormal activity that could indicaterunning malware.
While no one has identified the origin of the Labor Departmentattack, AlienVaultreported that the malware used the same protocol to communicatewith the C&C servers as the one used by a Chinese hacking groupcalled Deep Panda. The group is known for targeting a variety ofU.S. entities, including the high-tech and defense industries andstate and federal government agencies.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.