Hackers likely based in China used the confusion of Winter Storm Pax to expose a previously unknown gap in Internet Explorer security and target users of the Veterans of Foreign Wars website to gain information about current and ex-military personnel, according to cybersecurity firm FireEye Inc.
The attack targets Internet Explorer 10 with Adobe Flash, but installing Microsoft’s Experience Mitigation Toolkit or updating to Internet Explorer 11 prevents the exploitation, said a FireEye blog post. The hackers broke into the VFW website and installed a link that redirected visitors to a Web page that uploaded malware.
FireEye nicknamed the attack "Operation SnowMan," saying hackers may have been trying to take advantage of the winter storm confusion affecting the East Coast.
“We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend,” the blog post said.
The hack resembles infrastructure and techniques used by attackers FireEye has previously traced to China, the post's authors said, and those attackers have previously targeted organizations in Japan, U.S. government entities, information technology companies and defense firms. The Obama administration has accused the Chinese government of sponsoring hacker groups to steal secrets from U.S. businesses to benefit its own private sector, but China’s government has denied involvement.
Operation SnowMan took advantage of a “zero-day exploit,” which is a weakness that hackers discover and keep secret until the time is right to target a Web service. These weaknesses are a prized commodity among hackers, and such information is often sold on the black market to other criminal groups or even government spy agencies.