The Washington PostDemocracy Dies in Darkness

Forbes Web site was compromised by Chinese cyberespionage group, researchers say

The "Thought of the Day" feature researchers say was compromised by Chinese hackers. (
Placeholder while article actions load

Chinese hackers hijacked and used the site as part of an attack on the U.S. defense and financial industry, according to cybersecurity researchers at iSIGHT Partners and Invincea.

For three days late last year, the news site's “Thought of the Day” widget, which appears when readers visit the site, was compromised — seamlessly redirecting visitors from certain organizations to another site where their computers could be infected with malware without their knowledge.

Researches have linked similar malware controlled by the same server used in the Forbes attack to breaches of Web sites frequented by domestic Chinese dissident groups.

Forbes acknowledged the incident. "On December 1, 2014, Forbes discovered that on November 28, 2014, a file had been modified on a system related to the Forbes web site," the outlet said in a statement to The Post. "The file was immediately reverted and an investigation by Forbes into the incident began. Forbes took immediate actions to remediate the incident." The news outlet's investigation found "no indication of additional or ongoing compromise nor any evidence of data exfiltration," according to the statement.

The hack comes amid growing concerns that even the most trusted sites can be used by hackers aimed at infiltrating sensitive industries. The White House is creating a new agency focused on coordinating the government's response to the deepening threat from cyberattacks, according to a Washington Post report Thursday.

Using was "fairly brazen" and a shrewd move, Steve Ward,  senior director at iSIGHT Partners, told the the Post in an interview. "It's a trusted place that all of the employees in a targeted organization are going to be allowed to go to," he explained. "It's not going to be blocked from inside. "

"It's sort of a compliment to Forbes, but kind of a backhanded compliment," said James A. Lewis, a senior fellow at the Center for Strategic and International Studies. "They thought 'interesting people go to Forbes, and that Forbes is a site we can get into,'" he explained. 

The attack worked by leveraging two undisclosed coding flaws — typically called "zero day" vulnerabilities. The first was a problem with Adobe Flash, which the company patched December 9th, and the second was an Internet Explorer flaw, which Microsoft released a fix for on Tuesday. The Internet Explorer flaw was deployed by the attackers when the the Flash flaw alone was not enough to compromise targeted visitors' systems.

The hack redirected some of the site's visitors to a malicious site where their computers were silently attacked by malware. The researchers said they believe the malware was only used to infect a select group of targets, despite the broad audience of, which is ranked among the top 200 most visited sites globally by Alexa. The researchers said they confirmed the attack targeted at least some companies within the defense and financial services industries although it's possible its reach was larger.

Invincea, a cybersecurity monitoring company, said that they determined in late November that one of their defense industry clients had been targeted by the attack. They were able to stop the malware from spreading inside the client's network and collected forensic data that helped it determine the origin of the attack, company officials said.

The researchers attributed the hack to a cyberespionage group called Team Codoso, also known as the Sunshop Group, which has a long history of similar "watering hole" style attacks. Researchers at FireEye linked the group to attacks affecting multiple Korean military and strategy think tanks and a Uighur news and discussion site, among others, in 2013.

"When you talk to the Chinese, they tell you the U.S. is priority number two," said Lewis. "Priority number one is domestic political stability, so that's where they focus the bulk of their efforts."

Chinese groups have been blamed for a widespread cyberespionage campaign against the U.S. government and American businesses reaching back several years. The recent breach at health-insurer Anthem is suspected to be linked to Chinese hackers.

Nearly every major news outlet, including the Washington Post and the New York Times, have reported that they were victims of attacks suspected to be carried out by Chinese hackers — but the Forbes attack shows that security vulnerabilities at outlets can also put readers at risk.