Since the hijacked PC returns to a non-compromised state after a reboot, the hackers had to be prepared, with someone ready to jump in and begin searching for information to steal. "It's not automated," said Kindlund of the data-stealing process. "A human has to drive the RAT [remote access tool] to exfiltrate data or move laterally through the network [to look for data]."
The data thieves had to work fast, again because of the possibility of a PC restart, which would erase the malware. The attack window was opened early in the workday, local time, in order to maximize the amount of time the hackers had. Most users don't reboot their computers during the workday, and turn them off, if at all, only at the end of the day.
Kindlund speculated that the hackers chose the memory-resident attack technique to safeguard the zero-day vulnerability they exploited, a tactic that in this case at least, didn't work.
"They were willing to accept the trade-off [of potentially losing the PC compromise] because they did not want this zero-day vulnerability to be discovered this easily," Kindlund said. "If they were going to employ it, they wanted to be cautious ... the more times they used it, the more likely that it would be discovered and patched."
On a post to the FireEye blog on Sunday, four researchers spilled details of the attack code. They also noted a possible link via the malware's command-and-control infrastructure to a hacking campaign from August 2013 that the security vendor had dubbed "Operation DeputyDog."
DeputyDog in turn had been connected to the hackers who in Februaryinfiltrated the corporate network of Bit9, a Waltham, Mass. security vendor, issued themselves valid digital certificates and then used those certificates to infect the networks of several Bit9 customers.
On Monday, however, Kindlund was hesitant to claim that the same group responsible for DeputyDog and the Bit9 breach was also behind the latest attacks. "We like to take a cautious stance before linking an attack to a group. We want at least three linkages, but so far we have only one [to DeputyDog]," said Kindlund. "It's a significant finding, but the link could mean it's the same threat actor or that two different threat actors are using the same command-and-control infrastructure."
Kindlund defended FireEye's decision to publicly reveal the zero-day and even some of the technical details of the attack campaign. Microsoft prefers researchers not do that before a problem has been patched.
"We had to make a trade-off between the interests of Microsoft with the interests of the general public, who needed to be aware that targeted attacks using this vulnerability were in the wild," Kindlund said.
Sign up for CIO Asia eNewsletters.