by Bill Gertz
December 27, 2012
Advanced cyber-espionage attack
employed 'drive-by' method on CFR website
Computer hackers traced to China carried out an
advanced cyber-espionage attack against one of America’s most elite foreign
policy web groups - the website of the Council on Foreign Relations (CFR).
According to private computer-security forensic specialists, the hacking
incident involved a relatively new type of ploy called a “drive-by” website
cyber attack that was detected around 2:00 p.m. on Wednesday.
The specialists, who spoke on condition of anonymity, said the attack
involved penetrating the computer server that operates the New York
City-based CFR’s website and then using the pirated computer system to
attack CFR members and others who visited or “drove by” the site.
The activity ended on Thursday and the specialists believe the attackers
either removed their malicious software to prevent further details of the
attack from being discovered, or CFR was able to isolate the software and
The FBI was notified of the attack and is said to be investigating.
FBI spokeswoman Jennifer Shearer declined to comment when asked about the
attack. But she told the Washington Free Beacon:
“The FBI routinely receives
information about threats and takes appropriate steps to investigate those
However, David Mikhail, a Council on Foreign Relations spokesman,
confirmed the attack.
“The Council on Foreign Relations’ website
security team is aware of the issue and is currently investigating the
situation,” Mikhail said in an email. “We are also working to mitigate
the possibility for future events of this sort.”
He provided no details.
According to the computer security specialists, the cyber espionage attack
represents a new level of sophistication by foreign hackers seeking
government and other secrets by computer.
The method used in a “drive-by” attack requires hackers to covertly plant
malicious software in the CFR computer system.
Then, they used the software and the web site to
attack visitors to the site by infecting their computers in a hunt for
secrets and other valuable information. One of the specialists said the
attack also involved using the CFR site for what is called a “watering hole”
attack, when people who visit the website are infected.
One of the victims who visited the CFR’s website, cfr.org, discovered the
attack and alerted computer security specialists on Wednesday.
In response, a small group of private security specialists launched an
investigation into the activity and found that it only targeted computer
users using the web browser Windows Internet Explorer 8 and higher versions.
The attackers were able to exploit a security
flaw in the browser software called a “zero-day” vulnerability - a
previously unknown flaw that allows computer hackers to gain access to a
A similar Internet Explorer vulnerability was behind the major Aurora cyber
attack on Google and other U.S. corporations that began in 2009 and was
traced to China’s government.
Investigators said the computer attackers that targeted CFR were able to set
up a covert network capable of identifying, encrypting, and sending stolen
information found in targeted and infected computers back to a secret
command and control computer.
In the case of the CFR hack, the malicious software involved software that
included Mandarin Chinese language, the specialists said.
Also, the attackers limited their targeting to
CFR members and website visitors who used browsers configured for Chinese
language characters - an indication the attackers were looking for people
and intelligence related to China.
“This was a very sophisticated attack,” said
one of the specialists. “They were looking for very specific information
from specific people.”
The extent of the damage is not known but CFR
members who visited the website between Wednesday and Thursday could have
been infected and their data compromised, the specialists said.
The CFR is one of the most elite foreign policy organizations in the United
States with a membership of some 4,700 officials, former officials,
journalists, and others.
Its members include,
NBC anchor Brian Williams
Hollywood actress Angelina Jolie
former Sen. Chuck Hagel, President
Obama’s embattled but as yet un-nominated choice for secretary of
Current Secretary of State
Clinton and Assistant Secretary of State Kurt Campbell,
the Obama administration’s senior Asian affairs policy maker, also are CFR
Senate Intelligence Committee Chairman Sen.
Dianne Feinstein (D., Calif.) is also a member, as is Secretary of
State-designate Sen. John Kerry.
Its board and members include a who’s who of U.S. foreign policy and
national security elites, including former U.S. Central Command commander
Army Gen. John Abizaid, and former Secretaries of State,
Fox News CEO Roger Ailes also is a
member, as is News Corp. chairman and CEO Rupert Murdoch.
George W. Bush and Bill Clinton are members, as is
former CIA Director and former Defense Secretary Robert M. Gates and
former CIA Director David Petraeus.
The CFR cyberstrike is not the first strategic drive-by cyber attack.
security website Dark Reading reported in
May that the Center for Defense Information, and the Hong Kong
chapter of the human rights group Amnesty International (AIHK), along with
several other organizations, also were attacked using similar drive-by
“The weapon of choice for a cyberspy or
advanced persistent threat (APT)
actor gaining a foothold inside its target traditionally has been the
socially engineered email with a malicious link or attachment,”
“But cyberspies are increasingly targeting
specific, legitimate websites and injecting them with malware in hopes
of snaring visiting victims from organizations from similar industries