Delving further into the Microsoft Internet Explorer zero-day exploit found last week, which unknown hackers used to compromise the website of an influential American think tank, researchers have discovered the exploit's use on other websites and strong evidence of links to China.
"We have been able to confirm that this latest Internet Explorer zero-day is a continuation of the Elderwood Project," wrote Symantec security researchers in an official blog posting today (Jan. 4).
A zero-day exploit attacks computers via a software flaw that has not yet been fixed. Elderwood refers to a common malware platform used in an ongoing series of attacks on companies and organizations, dating back to the 2009 Operation Aurora intrusions into the networks of Google and dozens of other Western corporations.
Few of the companies attacked during Aurora would confirm that they had been hit or identify their attackers, but Google did both. It pinned the blame squarely on hackers working for or with the Chinese government. (Beijing strenuously denies all allegations that it is behind any attacks.)
Meanwhile, security experts in Luxembourg and the Czech Republic identified six other sites compromised with the new Internet Explorer flaw.
The sites belong to a Chinese human-rights group, a group of dissident Uyghurs from Chinese Central Asia, a Hong Kong newspaper, a travel agency in Taiwan, a Russian scientific group and Capstone Turbine Corp., a California maker of wind turbines.
The compromise last month of the website of the Council of Foreign Relations was characterized by several experts as a classic "watering hole" attack, in which malware is embedded in websites thought to appeal to a select group of people in order to enable drive-by downloads.
Visitors to the website of the prestigious think tank, whose members include most former presidents and secretaries of state, are presumably important targets.
The six newly identified website infections would also seem to be watering-hole attacks. The Chinese government is known to be interested in the activities of internal dissidents, in overseas Chinese in the "near abroad" and in foreign energy technology.
Microsoft last week released a temporary "fix it" for the browser flaw, which affects Internet Explorer versions 6 through 8. Windows XP users should implement the "fix it"; users of Windows Vista, 7 and 8 should upgrade to Internet Explorer versions 9 or 10, which are not affected. (The American security company Exodus Intelligence has already found flaws in the "fix it.")
Microsoft is working on a full patch for the flaw, which, unfortunately, will not make it in time for next week's Patch Tuesday monthly round of Microsoft updates.