Internet security researchers at FireEye have reported that Chinese hackers were discovered attempting to exploit the networks and computers of United States veterans.
Named “Operation Snowman“, the attack relied on watering hole techniques to lure people onto fake, malware-laden versions of the US Veterans Foreign Wars website. By changing around certain bits of iframe data, the crack is able to redirect unsuspecting members of the armed forces from their benefits page to a ghosted website, designed to install a trojan and backdoor access into any computer that comes across it.
It utilizes a cross-platform bug to launch a Flash object, which then activates another program in Java. From there all it needs to do is verify the computer is running an up to date version of Internet Explorer, and they’re in.
As of now there is still reason to believe these issues are related to Operation Deputy Dog, and Operation Ephemeral Hydra which were launched last year. The techniques used to plant the malware is almost identical, the source is coming from somewhere in China, and all three campaigns sought to leech information from similar targets.
FireEye suspects the idea behind the hijacking of a veterans service website is military personnel might have access to high level intelligence, and would in theory (this is where the jump in logic kicks in) store that information on the same machine they use for daily web browsing and making appointments with their doctor online.
“A possible objective in the SnowMan attack is targeting military service members to steal military intelligence,” FireEye researchers say. “In addition to retirees, active military personnel use the VFW website. It is probably no coincidence that Monday, Feb. 17, is a U.S. holiday, and much of the U.S. Capitol shut down Thursday amid a severe winter storm.”
As for now the exploit is only effective on Internet Explorer 10, and officials from FireEye are working closely with Microsoft to get the hole patched up as quickly and quietly as possible.