Hackers using hijacked computers in Taiwan struck the website of the Nobel Peace Prize on Tuesday, exploiting a previously unknown vulnerability in the popular Firefox Web browser to place a secret backdoor on the computers of anyone who visited it.
The timing of the attack, just three weeks after the prize was awarded to imprisoned Chinese dissident Liu Xiaobo and the use of computers in Taiwan to launch it, has led some security researchers to point the finger of suspicion at Chinese hackers.
And the use against Firefox of a rare “Zero Day” exploit - malicious code that uses a previously unknown flaw in a software package - had programmers scrambling to come up with a fix before copycat hackers get hold of it.
The Nobel site was fixed shortly after its administrators learned of the attack, said Snorre Fagerland, a virus researcher with a Norwegian computer-security firm, Norman ASA.
He added that there were a number of “puzzling” aspects to the attack, which redirected Nobel visitors to a hijacked university server in Taiwan that installed a very simple piece of malware called a Trojan - effectively, a backdoor into the computer system.
The use of the Firefox vulnerability was “very elaborate,” Mr. Fagerland said.
The Firefox Internet browser is open-source software, which means the code is available to anyone to inspect and work on. It is given to users free of charge by Mozilla, a nonprofit group of mostly volunteer programmers. Advocates of open-source software generally regard it as more secure, and Zero Day exploits against the browser are quite rare. The Register, a British computer-security trade news website, called it “the first time in recent memory attackers have exploited an unpatched vulnerability in Firefox.”
On Wednesday evening, Mozilla engineers issued a fix for the vulnerability, and an updated cersion of the Firefox browser.
“These releases fix a critical security issue … Thanks to Mozilla’s industry-leading open security process the fix has been created, tested, and released to users within 48 hours of first notification about the vulnerability,” the group said in a blog post.
But by contrast with the exploit, the Trojan package it delivered was “really, really basic … clumsily done,” said Mr. Fagerland. “It doesn’t hide itself very well.”
He added it contained portions of code that seemed either badly edited or “not really finished.”
But, though simple, the backdoor was effective, allowing the hackers to get complete control of the infected computer. “You could do almost anything in there,” Mr. Fagerland explained.
Unusually, the Trojan, rather than installing automated malicious software to steal passwords, banking information or other data, was being used to allow an actual human hacker into the infected machine.
“It appears to be a manual connect,” Mr. Fagerland said, “someone is actually typing instructions” at the other end. “That is not at all common,” he said.
Marten Krakvik, of Norwegian telecommunications firm Telenor, said his firm had observed hacker activity on some infected machines.
“The attacker was issuing commands to harvest information such as [Internet] addresses, user accounts and privileges,” and was running programs that check the kind of system being used, he said.
Telenor did not have any information about the number of visitors to the site or how many of them had become infected, Mr. Krakvik said. Staff at the Nobel Institute, which runs the site, did not return phone messages seeking comment.
“There is no hard evidence” about who the attackers were, Mr. Fagerland said, but added, “When you have a Nobel Peace Prize winner from China, and China has been very critical of the award and has been at least circumstantially linked to similar attacks in the past, you can speculate.”
“It could be a student or a prank, or it could be from someone with more resources,” Mr. Fagerland said.
Others were less cautious about attributing the attack. “Personally, I’d bet the bank that this was carried out by some nationalist Chinese group as payback” for the Peace Prize, said Jason Glassberg of the computer firm Casaba Security.
• Shaun Waterman can be reached at 123@example.com.
Please read our comment policy before commenting.