Forbes 'watering hole' attack the work of Chinese state cyber espionage, claim researchers

US defence contractors and banks targeted following Forbes attack

A "watering hole" attack on Forbes.com, one of the world's most popular news websites, which exploited zero-day vulnerabilities in Adobe Flash, was the work of Chinese state espionage organisations, according to an analysis by security services company iSight.

Following the attack, which lasted from 28 November to 1 December last year, the company claims that US defence contractors and financial services companies were subsequently attacked as a result.

"We believe the compromise was carried out by Chinese cyber espionage operators referred to by iSight as Codoso Team (also known publicly as Sunshop Group) based on technical indicators in connected malware as well as the use of the same undisclosed exploit in incidents consistent with Chinese cyber espionage targeting," claims iSight in its analysis.

This evidence includes:

• Malware used in the incident included resources written in simplified Chinese and bore a resemblance to variants of Derusbi, malware unique to Chinese cyber espionage operators;
• The command and control domain used was passively connected to tiiztm.com, a domain used in several Chinese cyber espionage incidents associated with Codoso Team;
• At least three additional sites also hosted the same exploit prior to its public disclosure. These sites contained iFrames that pointed visitors to 88.80.190.133/wvvwwvw/main.swf, and have been associated with Chinese dissident issues, including the Uighur minority in north-west China and Hong Kong democracy.

The group's targets are typically in defence, finance, energy, government, Chinese political dissidents and global think tanks. Previous attacks have targeted the Norwegian Nobel Peace Prize Committee - in 2010 when Chinese pro-democracy activist Liu Xiaobo won - an April 2011 spear-phishing attack targeting the US government, and a May 2013 watering hole attack targeting Uighur dissidents and global think tanks.

"It should be noted that the use of Derusbi malware variants is a common theme among this group - including in the recently observed watering hole attacks using Forbes.com. Given the use of Derusbi there is often conflation with a group publicly known as Deep Panda. We believe these to be different, yet connected, teams," claims iSight.

The attackers took advantage of a zero-day flaw in Adobe Flash - one of many that has bugged the software, which is often embedded within web pages and used for displaying animated advertising. The bug the group took advantage of was only patched by Adobe on 9 December 2014.

A full technical breakdown about how the attack worked is available on the websites of both iSight and Invincea.