Zero-Day for Military & Economic Advantage

A zero-day attack is when a new software vulnerability is discovered and exploited to adversely affect data, computer programs, or a network before a fix is made available. These vulnerabilities are referred to as “zero-day” because, once disclosed, the developer virtually has zero days to remediate or mitigate the vulnerability. Cyber-criminals share the vulnerabilities within their community for exploitation before it is discovered and the patch is released. There is still a window of opportunity for attacks, because of the time it takes for all affected devices to put into effect the mitigation or to be patched. Zero day attacks are a severe threat to any organization or agency’s network. If a vulnerability utilized on an entity’s network via a zero-day attack, it can be the passageway to the network, bypassing security controls and barriers set up to prevent an attack.

“Operation Snowman” (CVE-2014-0322) was discovered by FireEye security analysts on February 11, 2014. The campaign was assumed to be a Chinese operation and is comparable to Operation DutyDog and Operation Ephemeral Hydra; both “operations” used zero-day vulnerabilities to deliver Trojan viruses via remote access to strategically attack its targets. Hackers exploited a zero-day vulnerability within the Internet Explorer (IE) 10 browser and used it in a targeted and sophisticated attack believed to be aimed at US military personnel.

The attack was placed on the U.S. Veterans of Foreign War’s (VFW) and was timed to coincide with a federal holiday weekend, as well as a major snowstorm in the eastern United States. The exploit was a “classic drive-by download attack” – browser-based attacks that deceive website visitors into visiting malware-infected websites. The threat actors compromised the VFW website by modifying the site’s pages to include code (in an iframe) which exploited the unpatched IE10 vulnerability on systems which also had Adobe Flash Player. The modified HTML code then...