The hackers who hijacked a U.S. Labor Department website were as interested in gathering data for their next attack as they were in stealing information from their victims, security experts say.
The attack, reported last week, started with compromising the web server that ran the site and then inserting a malware payload that would be decoded when a visitor's browser attempted to render specific Web pages. The exploit targeted a previously unknown vulnerability on Microsoft's Internet Explorer 8.
Experts believe the attack targeted government employees involved in developing nuclear weapons. That's because the hijacked pages contained information on nuclear-related illnesses linked to Energy Department facilities, where such employees would have worked.
After analyzing the malware, Cisco security pros said Friday the attackers appeared to have two motives: Infiltrate government networks and gather information from the computers compromised initially in order to prepare for future attacks.
For example, the malware would send back to the command-and-control (C&C) server information on the security technology installed, including the antivirus software, as well as client applications known to have a lot of vulnerabilities. Examples of such software would include Adobe Flash or Java.
"Whatever attacker was behind this attack, they probably intended to come back," said Craig Williams, technical leader for Cisco's Security Intelligence Operations. "They're not gathering this information and sending it home for no reason."
Once the hackers got this information, they could use it to test future malware to make sure it could exploit the vulnerabilities without being detected, Williams said. This level of reconnaissance, while not unheard of, is unusual.
"It's pretty advanced that they're thinking about [returning]," Williams said. "Years ago, this would have been completely unheard of."
The attack on the Labor Department site was also highly targeted. The attackers' malware only worked on IE8 running on Windows XP computers, an indication that they knew their targets used those types of systems.
Microsoft released a temporary fix on Wednesday for the zero-day vulnerability exploited.
What Cisco does not know is how the attackers compromised the web server to begin with. Somehow, the attackers had to get the privilege necessary to run the script that would load the malware, which was a variant of a remote administration program called Poison Ivy.
In general, attacks that bypass security software installed on the desktop or notebook are examples of how companies need additional technology to protect their networks. An example is software capable of spotting abnormal activity that could indicate running malware.
While no one has identified the origin of the Labor Department attack, AlienVault reported that the malware used the same protocol to communicate with the C&C servers as the one used by a Chinese hacking group called Deep Panda. The group is known for targeting a variety of U.S. entities, including the high-tech and defense industries and state and federal government agencies.