Massive Cyber Attack Breaches 2,500 Organizations
So-called "Kneber" botnet collects log-in credentials to online financial systems, social networking sites, and e-mail systems to steal corporate and government data.
For the past 18 months, hackers based in Europe and China using a ZeuS botnet managed to infiltrate more than 75,000 computer systems at nearly 2,500 companies and government agencies, stealing login information culled from social networking sites to break into bank accounts, pilfer corporate data, and replicate personal and financial identities.
According to threat detection and security software maker NetWitness, this newly discovered Kneber botnet -- so named for the user name associated with the infected systems worldwide -- was first identified in January during a routine deployment of the company's advanced monitoring software.
Investigators soon discovered that hackers using the ZeuS Trojan spyware managed to acquire more than 68,000 login credentials, giving them access to a variety of e-mail systems, online banking systems, Facebook, Yahoo (NASDAQ: YHOO) and Hotmail accounts, as well as dossier-level data sets on individuals including complete dumps of entire identities from compromised computers.
NetWitness officials said they have already notified many of the companies and organizations affected, warning that this massive cyber attack is still ongoing. Neither NetWitness nor the affected organizations can determine exactly how much data was compromised and what, if anything, the hackers have done with the purloined information.
The discovery of this latest and particularly virulent botnet comes on the heels of a pair of high-profile cyber attacks. Operation Aurora compromised the computer networks operated by Google (NASDAQ: GOOG), Adobe (NASDAQ: ADBE) and more than two dozen other U.S. and international companies. Another coordinated cyber attack targeted the proprietary data of three of the world's largest oil companies.
"While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet," NetWitness CEO Amit Yoran said in a statement. "These large-scale compromises of enterprise networks have reached epidemic levels."
According to NetWitness, hackers based in Germany began accessing corporate networks in late 2008 by tricking employees into clicking on contaminated links and Web sites using the ZeuS spyware that can be downloaded for free online. Victims clicked on the spyware thinking it was an application or attachment used to clean up viruses.
In one instance, the hackers managed to snare the user name and password of a U.S. soldier's e-mail account. NetWitness officials said the cyber attackers accessed computers at ten U.S. government agencies. They also infiltrated more than 100 corporate servers that held "large quantities" of business data including databases, company files, and e-mail systems.
While NetWitness would not identify any of the 2,411 companies and agencies impacted, a Wall Street Journal report said Cardinal Health (NYSE: CAH), Merck (NYSE: MRK), and network equipment-maker Juniper Networks (NYSE: JNPR) were among the affected companies.
Officials at the three companies were not immediately available to comment on the attack.
Yoran said it appears an Eastern European criminal organization using computers located in China is responsible for the cyber attacks, adding that more than half of the infected machines were also contaminated with Waledac, a peer-to-peer botnet.
The coexistence of ZeuS and Waledac, according to NetWitness, suggests that the hacking organization placed a premium on resilience, survivability, and potentially deeper "cross-crew collaboration" with other criminal organizations.
"Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information," Alex Cox, the principal analyst at NetWitness who discovered the Kneber botnet, said in a statement. "But that viewpoint is naive."
"When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats, such as ZeuS and consider more diverse mission objectives," he added.
NetWitness said U.S.-based companies and organizations were targeted in 11 percent of the Kneber botnet attacks, ranking it fifth behind Egypt, which was targeted in 19 percent of the attacks, Mexico (15 percent), Saudi Arabia (13 percent), and Turkey (12 percent).