Chinese Hackers Suspected in Cyber Attack on Council on Foreign Relations

Advanced cyberespionage attack employed 'drive-by' method on CFR website


Computer hackers traced to China carried out an advanced cyberespionage attack against one of America’s most elite foreign policy web groups – the website of the Council on Foreign Relations (CFR).

According to private computer-security forensic specialists, the hacking incident involved a relatively new type of ploy called a “drive-by” website cyber attack that was detected around 2:00 p.m. on Wednesday.

The specialists, who spoke on condition of anonymity, said the attack involved penetrating the computer server that operates the New York City-based CFR’s website and then using the pirated computer system to attack CFR members and others who visited or “drove by” the site.

The activity ended on Thursday and the specialists believe the attackers either removed their malicious software to prevent further details of the attack from being discovered, or CFR was able to isolate the software and remove it.

The FBI was notified of the attack and is said to be investigating.

FBI spokeswoman Jennifer Shearer declined to comment when asked about the attack. But she told the Washington Free Beacon: “The FBI routinely receives information about threats and takes appropriate steps to investigate those threats.”

However, David Mikhail, a Council on Foreign Relations spokesman, confirmed the attack. “The Council on Foreign Relations’ website security team is aware of the issue and is currently investigating the situation,” Mikhail said in an email. “We are also working to mitigate the possibility for future events of this sort.” He provided no details.

According to the computer security specialists, the cyber espionage attack represents a new level of sophistication by foreign hackers seeking government and other secrets by computer.

The method used in a “drive-by” attack requires hackers to covertly plant malicious software in the CFR computer system. Then, they used the software and the web site to attack visitors to the site by infecting their computers in a hunt for secrets and other valuable information. One of the specialists said the attack also involved using the CFR site for what is called a “watering hole” attack, when people who visit the website are infected.

One of the victims who visited the CFR’s website,, discovered the attack and alerted computer security specialists on Wednesday.

In response, a small group of private security specialists launched an investigation into the activity and found that it only targeted computer users using the web browser Windows Internet Explorer 8 and higher versions. The attackers were able to exploit a security flaw in the browser software called a “zero-day” vulnerability – a previously unknown flaw that allows computer hackers to gain access to a targeted computer.

A similar Internet Explorer vulnerability was behind the major Aurora cyber attack on Google and other U.S. corporations that began in 2009 and was traced to China’s government.

Investigators said the computer attackers that targeted CFR were able to set up a covert network capable of identifying, encrypting, and sending stolen information found in targeted and infected computers back to a secret command and control computer.

In the case of the CFR hack, the malicious software involved software that included Mandarin Chinese language, the specialists said. Also, the attackers limited their targeting to CFR members and website visitors who used browsers configured for Chinese language characters – an indication the attackers were looking for people and intelligence related to China.

“This was a very sophisticated attack,” said one of the specialists. “They were looking for very specific information from specific people.”

The extent of the damage is not known but CFR members who visited the website between Wednesday and Thursday could have been infected and their data compromised, the specialists said.

The CFR is one of the most elite foreign policy organizations in the United States with a membership of some 4,700 officials, former officials, journalists, and others. Its members include NBC anchor Brian Williams, Hollywood actress Angelina Jolie, and former Sen. Chuck Hagel, President Obama’s embattled but as yet un-nominated choice for secretary of defense.

Current Secretary of State Hillary Clinton and Assistant Secretary of State Kurt Campbell, the Obama administration’s senior Asian affairs policy maker, also are CFR members. Senate Intelligence Committee Chairman Sen. Dianne Feinstein (D., Calif.) is also a member, as is Secretary of State-designate Sen. John Kerry.

Its board and members include a who’s who of U.S. foreign policy and national security elites, including former U.S. Central Command commander Army Gen. John Abizaid, and former Secretaries of State Madeleine K.  Albright, Colin Powell, and Henry Kissinger.

Fox News CEO Roger Ailes also is a member, as is News Corp. chairman and CEO Rupert Murdoch. Former Presidents George W. Bush and Bill Clinton are members, as is former CIA Director and former Defense Secretary Robert M. Gates and former CIA Director David Petraeus.

The CFR cyberstrike is not the first strategic drive-by cyber attack.

The computer security website Dark Reading reported in May that the Center for Defense Information, and the Hong Kong chapter of the human rights group Amnesty International (AIHK), along with several other organizations, also were attacked using similar drive-by methods.

“The weapon of choice for a cyberspy or advanced persistent threat (APT) actor gaining a foothold inside its target traditionally has been the socially engineered email with a malicious link or attachment,” DarkReading stated. “But cyberspies are increasingly targeting specific, legitimate websites and injecting them with malware in hopes of snaring visiting victims from organizations from similar industries and sectors.”