China Spying on US Veterans, Active Service Members

February 16, 2014 Updated: February 18, 2014

China is spying on U.S. veterans and military service members through a breach of the largest veterans’ organization. The attack was uncovered by security researchers at FireEye, who have dubbed it “Operation SnowMan” due to its strategic timing when government workers may be distracted by winter storms and a national holiday.

The attack attempted to target anyone who visited the Veterans of Foreign Wars (VFW) website. The congressionally chartered organization, which has close to 2 million members, advocates for military benefits and assists veterans with disability claims to the Department of Veterans Affairs.

It allowed Chinese hackers to monitor and gain control over users’ computers by quietly installing a Remote Access Trojan (RAT).

“A possible objective in the ‘SnowMan’ attack is targeting military service members to steal military intelligence,” states a blog post by FireEye describing the attack, noting “In addition to retirees, active military personnel use the VFW website.”

It notes that the attack coincides with Presidents Day, “and much of the U.S. Capitol shut down Thursday amid a severe winter storm.”

In the attack, Chinese hackers injected the VFW website with infected code that loaded their own code in the background any time someone visited the site. If someone accessed the site while using Internet Explorer 10 with Adobe Flash running, the malicious code on the site would then infect the user’s computer. If the computer was otherwise configured, it would not be infected.

Randi Law, the VFW public affairs manager, said in an email that the VFW National Headquarters was notified of the attack on Feb. 12, after which “VFW immediately identified the threat and rectified the code.”

“At this point, there is no indication that any member or donor data was compromised,” Law said. “VFW is currently working with federal law enforcement and a computer security incident response team to locate the source of the attack and determine the extent of the event.”

‘Watering Hole’ Attack

The form of attack is called a “watering hole.” The analogy is of victims unknowingly coming to drink from a watering hole where hackers, like alligators beneath the water, lie waiting. The method is commonly used in state-sponsored attacks by China and Russia.

Researchers at FireEye said they believe the attack originates in China. It carries the signature of a state-run attack, due to the nature of the targets, forms of vulnerabilities exploited in the breach, and due to several similarities between it and other advanced attacks from China.

After analyzing “Operation SnowMan,” researchers showed it connects to many of the addresses tied to two recent attacks from Chinese hackers, “Operation DeputyDog” and “Operation Ephemeral Hydra.”

“Operation DeputyDog,” uncovered in September 2013, targeted computer networks in Japan. “Operation Ephemeral Hydra,” uncovered in November 2013, installed similar spying systems on an unnamed website, which FireEye said draws “visitors that are likely interested in national and international security policy.” Both attacks were tied to the Chinese hackers who breached Bit9 security in February 2013.

Aside from sharing many of the same Web addresses, the three attacks also shared similarities in methods of attack. They all used zero-day exploits, which are security holes that have not yet been patched, to install RATs on users’ computers. They also shared many more technical similarities.

FireEye notes the Chinese hackers tied to these attacks have hit targets including the U.S. government, Japanese firms, defense companies, mining companies, nongovernmental organizations (NGOs), and information technology (IT) companies.

Follow Joshua on Twitter: @JoshJPhilipp