Cyberattacks, apparently, happen in threes.
After Facebook and Twitter announced that they were breached by sophisticated hackers in recent weeks, Apple said it had been attacked, too, in a rare admission for the technology giant.
In a statement to reporters Tuesday, Apple said some of its computers were infected with the same malware that hit Twitter and Facebook. Like Facebook, Apple confirmed that its employees’ computers were infected with malware when they visited a Web site for software developers. Neither company has named the Web site. But according to a person with knowledge of Facebook’s investigation, the compromised site, iPhonedevsdk, an online forum for software developers, is still infected. (In other words, unless you want to be owned by hackers, do not visit the site.)
“We identified a small number of systems within Apple that were infected and isolated them from our network,” Apple said in a statement. “There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.”
Twitter said attackers may have briefly gained access to data for 250,000 user accounts and that it reset passwords for and alerted users whose data may have been vulnerable. Facebook said that no user data was taken in its attack. Both companies said that they were also working with law enforcement to trace the source of the attacks, which they described only as “sophisticated.”
In all three cases, the attackers exploited a well-known security hole in Oracle’s Java software. Java, a widely used programming language, is installed on more than three billion devices. It has long been hounded by security problems.
Last month, after a French security researcher and blogger named Kafeine exposed a serious vulnerability in the software, the Department of Homeland Security issued a rare alert that warned users to disable Java on their computers. The vulnerability was particularly disconcerting because it let attackers download a malicious program onto its victims’ machines without any prompting. Users did not even have to click on a malicious link, they only had to visit an infected site for their computers to get infected.
After Oracle initially patched the security hole in January, the Department of Homeland Security said that the fix was not sufficient and recommended that, unless it was “absolutely necessary” to use Java, users should disable it on their computers completely. Oracle did not issue another fix until Feb. 1.
Apple said on Tuesday that it was releasing an updated Java malware removal tool that will check Macs for malware and remove it if found.
But security researchers say the Java exploit only gave hackers a foothold into these companies’ systems, and that the companies should be more forthcoming with what the attackers did once inside.
“Why is nobody asking what the payload is?” Sean Sullivan, a security adviser at the Finnish antivirus company F-Secure tweeted. “The Java exploit only opened the door. What walked in?”
@nickbilton Facebook developers use MACS. Why is nobody asking what the payload is? The Java exploit only opened the door. What walked in?
— Sean Sullivan (@5ean5ullivan) February 15, 2013
Social networks are a prime target for hackers, who look to use people’s personal data and particularly their social connections in what are known as “spearphishing” attacks. In this type of attack, a victim is sent an e-mail, ostensibly from someone they know on Facebook or other social networking site, containing a malicious link or attachment. Once the link is clicked or attachment opened, attackers take control of a user’s computer. If the infected computer is inside a company’s system, the attackers are able to gain a foothold. In many cases, they then extract passwords and gain access to sensitive data.
In an article published Monday evening, The New York Times reported that one group of Chinese cyberattackers, which has been tied to a specific military unit of China’s People’s Liberation Army, leveraged the social connections of its targets to send malicious e-mails that eventually allowed them to compromise thousands of organizations, ranging from Coca-Cola to the International Olympic Committee.
Hackers have been attacking organizations inside the United States at an alarming rate. The number of attacks reported by government agencies last year topped 48,500 — a ninefold jump from the 5,500 attacks reported in 2006, according to the Government Accountability Office.