Chinese hackers were able to attack American defence and financial firms last November through compromising the news site Forbes, according to the security vendors Invincea and iSight.
The "brazen" attack was said to have chained together unpatched flaws in Adobe Flash and Microsoft’s Internet Explorer to gain access to internal networks at the companies. It is thought to have been sponsored by China.
"The attack was executed against specific targets by compromising the Forbes.com ‘Thought of the Day’ Adobe Flash widget that appears initially whenever anyone visits any Forbes.com page or article," said a report from Invincea."
"Our analysis concluded that this widget was compromised using a Flash zero-day [unpatched flaw] exploit to gain control of unsuspecting users’ machines within targeted firms."
Researchers have linked the attack to the advanced persistent threat (APT) group Codoso, also called the Sunshop Group, which has a history of attacking US government groups and strategic assets affiliated to the country.
"Malware leveraged in the incident included resources written in simplified Chinese and bore a resemblance to variants of Derusbi, malware unique to Chinese cyber espionage operators," said Stephen Ward, senior director of marketing at iSight.
He added that other assets used in the attack, such as the command and control (C&C) server used to issue instructions to malware could also be linked back to Codoso.
Despite the fact that millions of Forbes’ users could have been attacked, the exploit seems instead to have been used purely to target the defence and financial companies.