Chinese Cyberattack Continues

DHS warns about new ‘watering hole’ cyber attack vulnerability as a high-tech firm also reportedly is hit

January 3, 2013

The Department of Homeland Security warned Internet Explorer users this week about a new software flaw used in remote cyber attacks as Microsoft issued an advisory on the embattled browser’s software hole.

The response followed reports in the Free Beacon revealing that hackers linked to China attacked the Council on Foreign Relations website and used it as a watering hole for a sophisticated cyberespionage attack.

Meanwhile, a company that builds microturbine electrical generators was attacked by the same hackers, according to two online security specialists.

The software traced to the CFR web attack also was present in the website of Capstone Turbine Co., a California manufacturer of high-tech turbine engine generators.

A lawyer for Capstone had no immediate comment on reports of the hack and officials at Capstone did not return telephone calls and emails seeking comment.

The DHS National Vulnerability Database issued a national cyber alert on Monday warning that the vulnerability in Explorer versions 6 through 8 "allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object."

The warning said the hack "allows unauthorized disclosure of information; allows unauthorized modification; [and] allows disruption of service."

The FireEye cyber intelligence web site confirmed reports that the CFR website was compromised on or around 2:00 p.m. Dec. 26 and said further investigation revealed that the malicious software was planted on the CFR web site as early as Dec. 21.

"We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability," FireEye reported.

"We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time."

The malicious software targeted users who logged in to the elite foreign policy organization’s website while using operating system language that included English, Chinese, Taiwanese, Japanese, Korean, and Russian.

The Council is one of the most prestigious foreign policy groups in the United States and its members include current and former high-ranking officials, including Sec. of State Hillary Clinton and former Presidents George W. Bush and Bill Clinton.

Eric Romang, a Luxembourg-based security researcher, reported that he traced the same software used in the CFR watering hole attack to He concluded on his website that the malicious software that attacked CFR "was also used to target visitors of another company named Capstone Turbine Corporation." The software was present on the Capstone website since at least Dec. 18, he said.

"Capstone Turbine Corporation was also used to spread [the malicious code called] CVE-2012-4969 and this since mid-September," Romang reported.

A second computer security specialist, Jindrich Kubec, confirmed that the waterhole cyber attack software had also infected Capstone’s website. "I wrote to Capstone Turbine on 19th Sep about the Flash exploit stuff they were hosting," Kubec, director of threat intelligence at avast!, stated in a Tweet. "They never replied. And also not fixed."

Capstone’s annual report states that the company’s gas microturbines are a low-emission, high-efficiency solution to energy production.

John Tkacik, a former State Department China specialist, said China likely would target a company like Capstone for its technology and other economic data.

"It seems that the Chinese technicians who hacked the Council on Foreign Relations have also been hacking other U.S. targets," Tkacik said in an email. "Capstone Turbines certainly would be a target of any Chinese firm that wanted to compete with Capstone, download Capstone's proprietary software and blueprints, or obtain Capstone's pricing and marketing information."

Tkacik, director of the Future Asia Project at the International Assessment and Strategy Center (IASC), said the company probably was among hundreds of U.S. companies targeted for technology acquisition.

"The whole episode is yet another chapter in the ongoing morality play of America's inability, unwillingness, or both, to confront the Chinese cyberthreat," Tkacik said. "Alas, U.S. law prevents American intelligence and military cyberwarriors from conducting the same sweeping attacks against Chinese networks, but perhaps the time has come for Congress to fund a major expansion of [the National Security Agency's] and Defense Department's network warfare capabilities and mandate them to go after Chinese financial, social, media, energy, and industrial networks in a big way. Otherwise we're fighting the last war."

Richard Fisher, a China affairs specialist with IASC, said the government should require publicizing information on Chinese-origin cyber attacks. "The time has come for Congress to demand annual reporting from the Departments of Defense and Homeland Security highlighting China's global cyber war and its security and economic impact on Americans," Fisher said. "Such a report required in order to galvanize both defensive and retaliatory policies."

"Chinese actors are the world’s most active and persistent perpetrators of economic espionage," according to a report by the office of the National Counterintelligence Executive, a U.S. government counterspy office.

"U.S. private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China but the IC cannot confirm who was responsible."

The report stated, "We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive U.S. economic information and technologies, particularly in cyberspace."

Microsoft, the maker of Internet Explorer, issued a security advisory on Saturday designed to patch what is called a "zero-day" security flaw.

"We are only aware of a very small number of targeted attacks at this time," said Dustin Childs, a leader of a Microsoft Security Response Center team stated in releasing the advisory.

Childs said the company is working on a "one-click Fix It solution" to the browser flaw in coming days.

The advisory was updated Monday and stated that "Microsoft is investigating public reports of a vulnerability in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8."

"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8," the company said, noting that a patch prevents the exploitation of the flaw.

It is not the first time Internet Explorer has been the basis for a major cyber attack.

Google and several other major U.S. corporations were attacked in late 2009 by suspected Chinese government hackers who used both human intelligence-gathering techniques as well as high-technology research to steal corporate secrets.

The Google attack was code-named Operation Aurora after one of the files in the malicious software was found to contain the name Aurora. Its origins were traced by investigators to a zero-day flaw in Internet Explorer 6 that allowed the hackers to gather vital details on company executives with high-level access to corporate secrets who were then targeted in a cyber espionage operation.

The hackers were able to use the Explorer flaw and an email scam to implant code that allowed the takeover of the network and the stealing of valuable trade secrets.

Investigators who uncovered the CFR hack said it was a sophisticated cyber espionage operation that targeted key officials and former officials.

The CFR web site was taken over by hackers during the watering hole attack and members who logged in to the site had their computers infected and information remotely stolen, in some cases using encryption to protect the stolen data that was sent remotely to the hackers.

"The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," said Microsoft in its advisory on the CFR hack.

"The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."

The company said after its investigation is completed it will take appropriate steps "to protect our customers."

Microsoft also said "we are actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability."

According to Microsoft, hackers "could host a website that contains a webpage that is used to exploit this vulnerability" in a web-based cyber attack scenario.

The compromised websites that accept or host user-provided content or advertisements then could be infected with software that could allow data exploitation.

"In all cases, however, an attacker would have no way to force users to visit these websites," the company said. "Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website."

Published under: Cyber Security