Computer breaches that are infecting visitors on energy sector websites might be linked to a May compromise of a Labor Department webpage that attracts former Energy Department nuclear personnel, cyber researchers say.
Traces of the malicious operation that hit Labor's “Site Exposure Matrices” public website, which helps Labor caseworkers compensate former Energy Department workers suffering from nuclear-related illnesses, have been discovered on many industry sites.
“The Department of Labor compromise occurred before the compromise of the energy-related websites,” Emmanuel Tacheau, a Cisco threat researcher, said in an email on Friday. “We know that they share both timing and the target -- the energy sector. Both attacks also employed a near identical rendition of the Internet Explorer exploit described in CVE-2013-1347," the name of a software flaw.
These "watering hole" attacks took advantage of weaknesses in Web software, in this instance Microsoft Internet Explorer, to implant malicious software that can then infiltrate the computers of site users.
Tacheau said the Labor site intrusion is consistent with watering hole attacks “which attempt to deliver malware to the specific sector that would ordinarily visit those pages. In the case of the DoL compromise, the affected pages dealt with nuclear-related content. The malware connects to a remote command and control server and it is assumed the intent is to gather forensics and steal sensitive information.”
Researchers have not been able to determine a direct connection between the two campaigns, he said.
The assaults on the firms came to light later in May, Tacheau wrote in a blog post earlier this week. The victims include an industrial supplier to the energy, nuclear and aerospace sectors, and various investment and capital companies that specialize in energy. Other targets were an oil and gas exploration firm with operations in Africa and Brazil, and a natural gas power station in the United Kingdom.
Encounters with the malware on the corporate sites "resulted from either direct browsing to the compromised sites or via seemingly legitimate and innocuous searches. This is consistent with the premise of a watering-hole style attack that deliberately compromises websites likely to draw the intended targets," Tacheau wrote.
Researchers at security providers Invincea and Alienvault Labs were the first to discover the Labor site intrusion this spring. The database lists diseases associated with Energy facilities and details toxicity levels at each location that might have sickened employees developing atomic weapons, according to the Institute of Medicine.
Alienvault specialists, at the time, suggested that techniques used to strike Labor’s site matched those "used by a known Chinese actor called DeepPanda."