US tech firms have been dropping like flies, with one company after another coming out to report that its fallen victim to cyberattacks in recent weeks. Twitter and Facebook both provided details of security breaches last week, and late yesterday Apple revealed that it too had also fallen victim to the same group of hackers.
Apple’s admission comes just days after Facebook reported that it had been targeted in what it described as a “sophisticated attack”, blaming a vulnerability in Java for the security breach. That followed an earlier admission by Twitter that it had also been breached this month, with more than 250,000 user accounts compromised.
China’s Military Spies or Eastern European Gangs?
Following the recent spate of cyberattacks and the revelation that they all appear to be linked, a number of investigators automatically pointed the finger of suspicion at China, given that country’s involvement in recent high profile attacks on US media outfits like the New York Times. China is always at the top of the suspect’s list when cyberattacks of this scale emerge, and its reputation has been done no favors by yesterday’s report from security firm Mandiant that the People’s Liberation Army is financing a secret unit of professional cybercriminals to carry out state-sponsored hacks on its behalf.
The shadowy group of hackers, known as People’s Liberation Army Unit 61398, was labelled an “Advanced Persistent Threat” and blamed for stealing hundreds of terabytes of data from as many as 141 organizations worldwide.
Given this report, it’s tempting to put two and two together and assume that China must also be responsible for the latest security breaches, but according to Bloomberg things aren’t quite so clear cut. Investigators working on the case believe that the malware used in the attacks, plus the habits of the hackers themselves, bears all the hallmarks of “an Eastern European gang that is trying to steal company secrets”, rather than state-sponsored cyber-espionage.
Bloomberg cites two unnamed sources as saying that an unknown group of Russian or Eastern European criminals is the primary suspect, because the hackers were using servers linked to a Ukrainian web host. Furthermore, the sources say that the specific type of malware used in the attacks suggests that the hacks originated from Europe.
Developer’s Site Named As Malware Host
The identity of the hackers may never be known for certain, but apparently investigators do believe that they have nailed down the source of the attacks. Facebook previously stated that its employee’s laptops were infected after “visiting a third-party mobile developer’s site”, while Apple referred to a “website for software developers” as being the origin of the attacks, without naming the actual site.
Tech website All Things D reported yesterday that the suspect domain is almost certainly the iPhone developer’s website iphonedevsdk.com, citing sources at Facebook familiar with the investigation. Bloomberg later also named iphonedevsdk.com as the host of the malware, but these accusations were quickly denied by the site’s owner Ian Sefferman in an email to All Things D:
“We’re investigating Facebook’s reports that iPhoneDevSDK was hosting an exploit targeted at Facebook employees. We’re actively ensuring that is not the case. Facebook originally noted that they immediately reached out to other affected companies, but we were never contacted by Facebook, any other company, or law enforcement. Our users’ security is incredibly important to us and we’ll be sure to follow the investigation through to completion.”
Sefferman could just be trying to exercise some damage limitation here, but given that both Bloomberg and All Things D quote ‘unnamed sources’, the possibility remains that the malware might originate from elsewhere. Still, until the matter is cleared up it’s probably not a good idea to go visiting iphonedevsdk.com.