BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Elite Russian Hackers Claim To Have Breached Three Major U.S. Antivirus Makers
School Lunch Business Rivalry Leads To Hacking Charges
Cybercriminals Steal $1.75 Million From An Ohio Church
Ransomware Hits Yet Another U.S. Airport
A Free Wi-Fi Finder App Exposed Passwords To Millions Of Networks
A Ransomware Attack Knocked The Weather Channel Off The Air
Edit Story
InnovationCybersecurity

Forbes.com Hacked In November, Possibly By Chinese Cyber Spies

Thomas Brewster
Forbes Staff
Senior writer at Forbes covering cybercrime, privacy and surveillance.
Following
This article is more than 9 years old.

Back in late November, Forbes.com was hacked. If cyber security firms are right, Chinese hackers are to blame, but there's not enough evidence to guarantee attribution just yet.

The hackers tinkered with the Adobe Flash widget that delivers the Thought of the Day page that visitors to Forbes.com are taken to when they visit the site. The attackers did this to send specially-chosen visitors to a hacker-controlled site that would serve up an exploit against a zero-day vulnerability in Flash and, if it was needed, another flaw in Microsoft ’s Internet Explorer. Malware that sought to acquire basic system information from victims’ machines could then potentially have been downloaded on targets’ systems. Anyone who was running on any Windows OS above XP and using browsers other than Internet Explorer should have been safe, though targets using other systems could have been affected.

Our press department said that Forbes discovered on 1 December that on 28 November a file had been modified on a system related to the Forbes website. “The file was immediately reverted and an investigation by Forbes into the incident began. Forbes took immediate actions to remediate the incident. The investigation has found no indication of additional or ongoing compromise nor any evidence of data exfiltration. No party has publicly claimed responsibility for this incident,” the spokesperson said. It’s currently unclear how the hackers were able to compromise that Adobe Flash widget in the first place. Typically, there would be some kind of web server compromise, but that’s just speculation for now.

Forbes obtained information on the files used to launch the exploits and checked them on Virus Total . One appears to be called Swifi, according to Symantec , though few AV systems appear to be able to block it. Another, called Agent-ALEA by Sophos, is blocked by most well-respected AV systems. The related malware (wuservice.dll and Wuservice.dll) that attempted to acquire a foothold on targets' machines and grab information was also known to a handful, but not all antivirus vendors. 

The graph below shows how the attack methodology worked:

Two security companies, threat intelligence provider iSight and end point security firm Invincea, have claimed that a Chinese cyberespionage group dubbed Codoso Team , also known as Sunshop Group, was responsible for the attack. Senior director of marketing at iSight, Stephen Ward, said that the attackers likely used some kind of whitelisting to determine which targets to attack. The evidence of Chinese involvement is somewhat circumstantial at the moment, though Chinese-based hackers are the only current suspects. iSight said it had “confirmed targeting of United States defense contractors and United States financial services companies”, though the attacks were blocked, and the firm believes the hackers were hunting for specific targets, not trying to ensnare as many victims as possible.

The firm claimed the malware used by the hackers, which would attempt to download itself after visitors hit the Forbes.com site, was written in simplified Chinese and was similar to another malicious software called Derusbi, a strain “unique to Chinese cyber espionage operators”. The command and control servers used by the malware were “passively connected” to tiiztm.com, a domain used in a number of Chinese cyber espionage incidents associated with Codoso Team, iSight added. It noted another three sites, “associated with Chinese dissident issues to include the Uyghur minority and Hong Kong democracy”, were also compromised to serve the same exploit. And there are some links to a group called Deep Panda, which security firm CrowdStrike believes to be a Chinese hacker group. Ward said they may be sharing capabilities, but they didn’t appear to be part of the same group.

Microsoft patched the Internet Explorer flaw today as part of its Patch Tuesday release. Adobe fixed the Flash issue on  December 9.

So here’s what we know right now: The hackers used two zero-days to launch attacks on a specific subset of readers and there haven’t been any reported cases of successful exploitation, though they could exist. The attackers have not been able to establish any foothold on Forbes’ network. Chinese hackers appear to be the most likely suspects, but there’s no definitive proof.

This story will be updated as more information comes in.

Thomas Brewster
Thomas Brewster