US Department of Labor Site ‘Hacked By Chinese Sources’

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Watering hole attack likely to be state-sponsored, say security researchers

The US government’s Department of Labor website has been compromised, either by a Chinese hacker known as DeepPanda or an affiliated individual or group, endangering all visitors to the site.

AlienVault Labs uncovered the malicious activity, with director Jaime Blasco telling TechWeekEurope he suspected it was a nation state sponsored attack.

Blasco believes this is a watering hole attack, where attackers infect websites they know their targets visit regularly. US government officials could well be a target, he said, noting how the eventual aim is to get a backdoor on the victims’ machines to execute whatever malicious code they want.

China © Stephen Finn, Shutterstock 2012DeepPanda is believed to have been behind attacks on major US and Japanese bodies, including defence and energy organisations.

Chinese hack again?

“There are Chinese guys behind this attack,” Blasco said, noting how the attack methods were similar to previous ones on US and non-US organisations. “They are looking for specific victims who are regularly visiting this website from the US government.

“In terms of the kind of attack, and the attacks we have analysed in the past, it is very likely this is state sponsored.

“A lot of people will probably visit that website and they could get infected.”

The infected site was seen serving up a  file in JavaScript, before executing a script that that tells the attacker much about protection on victims’ machines, including whether it uses popular antivirus technology.

It will also check what software is running on the system, such as Flash or Java, to check if exploitable versions are resident on the machine.

All that data is sent back to the attacker’s server, which then attempts to exploit a patched vulnerability in Microsoft Internet Explorer, versions 6 through 8.

If the exploit is successful, malware will be downloaded onto the victim’s PC, connecting up to a command and control infrastructure, which AlienLabs believes is used by the Chinese malicious actor DeepPanda.

Only two of the 46 antivirus products tested on Virus Total were able to block the malware.

It is unclear whether the site has been cleansed of the malicious code. The US Department of Labor had not responded to a request for comment at the time of publication.

“We have identified some watering holes in government sites in the past, but this one is very important, as it is one of the main US sites for that branch of the government,” Blasco added.

Various attacks on US organisations have been attributed to China, which has subsequently denied all allegations. Attacks on media organisations, including the New York Times, were linked to the country, as were widespread hits carried out by a group known as APT1.

UPDATE: The US Department of Labor offered the following statement to TechWeek: “On May 1 2013, the Department of Labor (DOL) confirmed that a website related to a DOL program appeared to be compromised.  The website was immediately taken offline and the Department began working with appropriate internal and external authorities to investigate and to mitigate any potential impacts.

“The website will remain offline until DOL completes its initial investigation.  At this time there is no evidence of compromise to or loss of DOL information nor is there any disruption in DOL’s services.  The Department will continue the investigation and will ensure that appropriate precautions and safeguards remain in place to protect our information and information systems.”

What do you know about Internet security? Find out with our quiz!

Read also :