Zero-day attack targets military via veterans’ website

The drive-by attack, dubbed Operation SnowMan by security company FireEye, has infected VFW.org and exploits a flaw in Internet Explorer.

Military personnel are being targeted in a cyberattack against the Veterans of Foreign Wars website that appears to be timed specifically to hit during the shutdown caused by this week’s snowstorm and the ensuing Presidents Day weekend.

Security company FireEye, which disclosed the attack Feb. 13, said in a blog post that the attack exploits a zero-day vulnerability in Internet Explorer 10 and is likely the work of a group that has previously attacked government agencies and companies in the defense industrial base (DIB). Microsoft has confirmed the vulnerability, and said it also affects IE 9.

The attack, dubbed Operation SnowMan, targets IE 10 with Adobe Flash, according to FireEye, which described it as a “classic drive-by attack.” FireEye, which said it is working with Microsoft a fix, said users could mitigate the attack by installing Microsoft’s Experience Mitigation Toolkit or upgrading to IE 11.

VFW is a non-profit group for veterans but it is also open to active duty personnel. And although FireEye didn’t speculate on the ultimate goal of the attacks, Arik Hesseldahl at re/code suggests the attackers could be targeting military intelligence. Active duty personnel who visit VFW.org over the weekend and then sign into a Pentagon network from the same machine could give away access, he writes.

While there’s no clear evidence that’s the goal, such a roundabout attack certainly isn’t unheard of. The theft of at least 40 million customer records from retailer Target, for example, grew out of a phishing attack on an HVAC vendor that did business with Target and had access to its systems.

FireEye does say  that  Operation SnowMan appears to be specifically targeting military personnel and that “infrastructure overlaps” and patterns in the attacks indicate it is being conducted by the same cyber criminals behind two earlier attacks, Operation DeputyDog and Operation Ephemeral Hydra. Similarly to the current attack, those attacks used what FireEye called a strategic Web compromise and employed zero-day exploits in Internet Explorer to install remote-access Trojans.

DeputyDog and Ephemeral Hydra, identified in 2013, targeted U.S. government entities, DIB companies, law firms, non-government organizations and Japanese, IT and mining companies.