A hack attack that targeted Google in December also hit 33 other companies, including financial institutions and defense contractors, and was aimed at stealing source code from the companies, say security researchers at iDefense.

The hackers used a zero-day vulnerability in Adobe Reader to deliver malware to many of the companies and were in some cases successful at siphoning the source code they sought, according to a statement distributed Tuesday by iDefense, a division of VeriSign. The attack was similar to one that targeted other companies last July, the company said.

A spokeswoman for iDefense wouldn't name any of the other companies that were targeted in the recent attack, except Adobe.

Adobe acknowledged Tuesday in a blog post that it discovered Jan. 2 that it had been the target of a "sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies."

The company didn't say whether it was a victim of the same attack that struck Google. But Adobe's announcement came just minutes after Google revealed that it had been the target of a "highly sophisticated" hack attack originating in China in December.

Neither Google nor Adobe provided details about how the hacks occurred. Google said only that the hackers were able to steal unspecified intellectual property from it, and that they had focused their attack on obtaining access to the Gmail accounts of human rights activists who were involved in China rights issues.

But according to iDefense, whose customers include some of the 33 companies that were hacked, the attacks were well targeted and "unusually sophisticated" and aimed at grabbing source code from several hi-tech companies based in Silicon Valley as well as financial institutions and defense contractors.

The hackers gained access to the company networks by sending targeted e-mails to employees, some of which contained a malicious PDF attachment. The malicious code exploited a zero-day vulnerability in Adobe's Reader application.

Zero day vulnerabilities are security flaws in software for which there is currently no patch. Adobe announced in mid-December that a new zero-day vulnerability in its Reader and Acrobat programs was being actively targeted by attackers. The company made the announcement after security researchers not affiliated with Adobe discovered attacks being conducted against the vulnerability. Adobe patched the critical vulnerability only on Tuesday this week.

In the recent attack on some of the companies, once a recipient clicked on the malicious PDF attachment, a backdoor Trojan program called Trojan.Hydraq was installed on their machine in the form of a Windows DLL, according to iDefense.

IDefense says that when Google discovered malware on its systems in December, it found that the code was communicating with a server set up to receive information stolen from the targeted companies.

"It was configured in such a way that it was able to receive a massive amount of data being exfiltrated to it," says an iDefense spokeswoman who asked not to be named.

Google was able to determine, by examining the server, that the hackers had struck numerous other companies, she said. Google said in its Tuesday announcement that 20 other companies had been hacked. But iDefense found evidence that at least 33 were targeted.

The recent attacks bear a strong resemblance to another attack that occurred in July 2009, which targeted about 100 IT companies, iDefense says. In that earlier attack, the hackers also sent targeted e-mail to companies with a malicious PDF attachment, but it's unclear how successful that attack was.

According to Ryan Olson, an analyst for iDefense, the attacks in July and December targeted different vulnerabilities. The one in July affected Adobe's Reader, Acrobat and Flash applications, which it patched Jul. 30. The vulnerability the hackers are believed to have used in December also affected Reader and Acrobat.

iDefense obtained samples of the malicious codes used in the July attack and the more recent one and found that although the malware was different in the two attacks, the programs both communicated with similar command-and-control servers. The servers each used the HomeLinux DynamicDNS to change their IP address, and both currently point to IP addresses belonging to a subset of addresses owned by Linode, a U.S.-based company that offers Virtual Private Server hosting.

"The IP addresses in question are ... six IP addresses apart from each other," iDefense said in its statement. "Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the [recent] Silicon Valley attacks have been compromised since July."

Linode spokesman Philip Paradis says the VPS iDefense is referring to was never compromised and that the command-and-control servers were pointing to Linode IP addresses because Google itself took control of the VPS on Jan. 1 and was using it to conduct tests as part of its investigation.

Olson told Threat Level that the attackers are "incredibly good" at finding new exploits and infecting the right people but that nothing he'd seen in the malware indicated they were above average in writing malicious code.

"The sophistication here is all about the fact they were able to target the right people using a previously unknown vulnerability," he says.

The iDefense spokeswoman told Threat Level that her company waited a week to disclose details about the attack until after Google went public with the news that it had been hacked. She said it's her understanding that Google's source code was targeted in the hack attack.

Google declined to publicly discuss the details of iDefense's report.

Adobe's announcement didn't discuss specifically whether hackers had stolen its source code but said that it had "no evidence to indicate that any sensitive information – including customer, financial, employee or any other sensitive data – has been compromised" in the attack.

This post was updated with information from Olson about the malware used in the attack and to add comment from Linode. It also was updated to clarify that the Hydraq trojan and PDF exploit were used to breach some of the companies, but not all of them.

See also: