Microsoft Corp. issued a critical series of patches on Wednesday, closing major security loopholes previously used by hackers, which compromised websites including Forbes.com.
The attack targeted U.S. military and government networks that visited infected websites, but U.S. security systems ultimately foiled attempts to steal data, experts told the BBC.
"It's fairly brazen for a Chinese cyber-espionage group to use such a public site," said John Hultquist, who works for security company iSight. The firm claims to have traced the attacks back to a Chinese group called Codoso.
The attack targeted a few people who were likely to visit the Forbes website, in what is known as a “watering hole” attack, iSight partners said in a report. “It is critical to note that visibility is limited and that there was a potential for broader targeting from this group (and potentially other threat actors).”
The malicious code was briefly hosted on the Forbes website from Nov. 28 through Dec. 1. It used Adobe’s Flash Player, which was hacked by Codoso.
Once it was active on a Windows machine, the Codoso malware tried to track the computer’s software and any networks it was connected to, Hultquist told the BBC. "It's all about land and expand," he said. "They want to get in and stay in and be as persistent as possible and gather intelligence over a long period of time."
Another report by security group Invincea confirms that the website was under an extremely rare type of attack, called a "chained zero-day exploit."
One of the few previous examples of this type of attack, which the report calls a “unicorn,” is the Stuxnet attack against Iranian nuclear plants allegedly conducted by U.S. and Israeli intelligence groups.
Other targets included Chinese political dissidents and other political targets, security news website Dark Reading reported.
Codoso is previously known to have attacked targets in industries including defense, finance, energy, political activism, and think tanks, according to the iSight report. They have been active since at least 2010.
Adobe had patched the bug with its Flash software in December, and Microsoft’s new patch closes the other loophole Codoso had used.