The attacks, announced The Security Ledger, “were part of a wide-ranging operation that relied on many ‘watering hole’ web sites that attracted employees from prominent firms across the U.S.” At least two other sites were involved in delivering malware to visitors, and victims are now known to include car companies, government agencies and even a candy company. But the ‘who’ and ‘why’ remain clouded. Some early suggestions that it was another Chinese intellectual property theft campaign have been countered by suggestions that the methodology bears more resemblance to east European criminal gangs.
Nevertheless, some aspects are reminiscent of the APT attacks that are more usually associated with nation-state incursions. “For example,” wrote Security Ledger, “the use of the corp-aapl.com domain for command and control shows an attention to detail that suggests that corporations and sophisticated organizations were the target, rather than individuals.” Anup Ghosh, CEO of Invincea, added, “You only do that if you’re concerned about people looking at logs, and individuals never do that.”
Waterhole attacks are a compromise between indiscriminate and targeted. The type of website compromised targets a particular group of users – in this instance developers. Generally speaking, targeting does not go beyond this. “The wide net of watering hole web sites pulled in employees from organizations across a broad swath of the U.S. economy, say those with knowledge of the incident. That has made the operation look more like a fishing expedition than a narrowly focused operation,” suggests Security Ledger. But it also states that Ian Sefferman of iPhoneDevSDK.com, one of the compromised waterholes, “confirmed that the attacks served from his site only affected some visitors, and not others. Sefferman said, for example, that he was not targeted with an exploit, while other visitors to his site were.”
Clearly there is still much that is unknown about the attacks. Security Ledger approached the FBI, who declined to comment. “Nobody knows the whole picture,” added Joe Sullivan, Facebook’s chief of security. “And, in the absence of an environment where all the companies implicated are able to share all their internal details, there is little chance of the whole picture being directly assembled.”
This is a comment, says Lisa Myers of Intego (who had earlier published details on the OSX malware, OSX/Pintsized.A, used in the attacks), “that really drives me nuts.” She believes that the victim companies were perfectly able to share details with other security researchers, but chose not to. “Had any of the four shared the details of their own attack the way they have shared detail in the past, we could have had more eyes on this puzzle and we all could have worked together to figure out what was going on. As it stands, there are several separate investigations going on that create redundancy and slows all of our progress significantly.”