The attacks that compromised computer systems at Facebook, Twitter, Apple Corp. and Microsoft were part of a wide-ranging operation that relied on many “watering hole” web sites that attracted employees from prominent firms across the U.S., The Security Ledger has learned.
The assailants responsible for the cyber attacks used at least two mobile application development sites as watering holes in addition to the one web site that has been disclosed: iPhoneDevSDK.com. Still other watering hole web sites used in the attack weren’t specific to mobile application developers – or even to software development. Still, they served almost identical attacks to employees of a wide range of target firms, across industries, including prominent auto manufacturers, U.S. government agencies and even a leading candy maker, according to sources with knowledge of the operation.
More than a month after the attacks came to light, many details remain under tight wraps. Contacted by The Security Ledger, the FBI declined to comment on the attacks or any investigation into their origin. However, conversations by The Security Ledger with multiple sources – including those with direct knowledge of the attack and others who had been briefed on it – have filled in some of the blanks.
Car Companies To Candy Makers – A Broad Set of Targets
In a phone and e-mail interview with The Security Ledger, Joe Sullivan, Facebook’s Chief of Security, said that the use of multiple watering hole sites and the wide spectrum of targets inside and outside the technology sector defied easy explanation. “The breadth of types of services and entities targeted does not reflect a targeted attack on a single tech or industry sector,” he said.
Rather, the wide net of watering hole web sites pulled in employees from organizations across a broad swath of the U.S. economy, say those with knowledge of the incident. That has made the operation look more like a fishing expedition than a focused operation.
“There’s nothing that’s like ‘Aha, they’re targeting this group for industrial espionage’ said one source with knowledge of the ongoing investigation.
Facebook was among the first firms to detect the security breach, which came to public attention after Twitter revealed a compromise that exposed account credentials on 250,000 users in a blog post on February 1. The social networking giant acknowledged that it was hacked in a February 15 blog post. The list of victims has since expanded to include Apple Corp. and Microsoft.
In interview to the web site arstechnica.com, Sullivan said that the company identified the attack after a number of employees were discovered using Apple Mac laptops infected with malware. An analysis of the affected staff revealed a mobile developer web site, later identified as iPhoneDevSDK.com, as the source of the attack.
Many Watering Hole Sites Used
According to Sullivan and other sources with knowledge of the attack, however, iPhoneDevSDK.com was only one of three mobile development sites used as watering holes. The other mobile development websites include one devoted to development of applications for Google’s Android operating system.
In each case, the sites were compromised and used to serve up exploits of the same “zero day” vulnerability in Java against browsers running on both Windows and Apple Mac systems. The employees compromised in the attack were then infected with a Trojan horse program for either Mac or Windows PC, depending on their choice of operating system.
In “watering hole” style attacks, cyber criminals and sophisticated hackers work through a third party web site that is known to be frequented by individuals who are the target of the attack. The web site is compromised – often by exploiting a known vulnerability in the site – and altered to begin attacking visitors. The actual targets of the scam are attacked when they opt to visit the compromised site.
‘Pint-Sized’ Attack, Outsized Impact
Facebook’s internal investigation and parallel investigations by anti malware firms have since identified the Trojan used in the attacks was Pintsized.A, a new family of malware for Apple Mac systems that was first publicly identified in early February.
According to a February 19 analysis by Intego, Pintsized masquerades on infected systems as cupsd, a common Linux component that is used by OS X as a printing system scheduler – though the malicious process runs from the wrong directory on infected systems.
Intego said that Pintsize infections start with an exploit to get it past Gatekeeper. Once on a system, it sets up a reverse shell to the command and control server, then uses a modified version of OpenSSH 6.0p1 to creating a secure connection to encrypt the traffic in and out of the victim’s network. The malware hides behind executable names that make it seem like Apple software and at least one command and control node operated from the (malicious) domain corp-aapl.com. That domain caught the attention of Facebook’s incident response team, and has since been directed to “sinkhole” servers managed by The Shadowserver Foundation, allowing authorities to capture command and control (C&C) communications from infected systems.
In addition to Facebook, a source with knowledge of the attack on Twitter told The Security Ledger that the Pintsized malware was served to Mac users there. The source asked to remain anonymous because he was not authorized to speak on the record about what he knew. Victims whose employees were running Windows received different, PC-based malware as part of the attack, sources said.
Watering Hole Attacks Hit Only Some Visitors
Moreover, it appears that the attacks launched from iPhoneDevSDK – and possibly other watering hole sites – weren’t indiscriminate. Rather, they may have been directed only at a small number of web site visitors from target domains.
Ian Sefferman of iPhoneDevSDK.com confirmed that the attacks served from his site only affected some visitors, and not others. Sefferman said, for example, that he was not targeted with an exploit, while other visitors to his site were.
“We’re still investigating why only certain users were affected, whether there was a pattern, and how many may have been targeted,” he said. However, he declined to provide more detail, citing the ongoing investigation.
Asked about the selection of targets to serve exploits at iPhoneDevSDK.com, Sullivan of Facebook said his company worked closely with Sefferman in the immediate aftermath of the breach, but declined to discuss what they uncovered, or to share the names of other companies targeted in the attack.
Even with that list, it is possible that the public will never know the full extent of the attack, given its sophistication, he said. “Nobody knows the whole picture,” he said. “And, in the absence of an environment where all the companies implicated are able to share all their internal details, there is little chance of the whole picture being directly assembled.”