Facebook officials said they recently discovered that computers belonging to several of its engineers had been hacked using a zero-day Java attack that installed a collection of previously unseen malware. In an exclusive interview with Ars Technica, company officials said that the attack did not expose customer data, and it was contained to the laptops of a small number of Facebook engineers. But other companies who were affected by the same hacking campaign may not have been so lucky.

Facebook's internal security team worked with a third party to "sinkhole" the attackers' command server, taking over the network traffic coming into it from systems infected by its malware. They discovered traffic coming from several other companies, according to Facebook Chief Security Officer Joe Sullivan. Facebook notified those companies of the attack, and it has turned the case over to federal law enforcement. An investigation is still ongoing. While some of the affected companies were aware of an ongoing attack, others were unaware of the problem before being notified by Facebook.

The attack was discovered when a suspicious domain was detected in Facebook's Domain Name Service request logs. According to Sullivan, the requests were tracked back to the laptop of an engineer working on mobile application development projects. Forensic analysis of the files on the laptop led to the discovery of a number of other compromised systems.

The patterns of the attack, which appear eerily similar to the Facebook war-game drills Ars recently chronicled, don't appear to be related to any previous attacks on Facebook or other organizations. "This looked like a new campaign that wasn't linked to previous Advanced Persistent Threat activities," Sullivan told Ars.

But the attack occurred within the same timeframe as the hack that exposed cryptographically hashed passwords at Twitter. While Twitter didn't disclose the nature of the attack that caused that breach, Twitter's director of information security, Bob Lord, did reference Java browser plugin exploits in his blog post about the hack, and he urged people to disable Java in their browsers.

Lurking at the watering hole

Rather than using typical targeted approaches like "spear phishing" with e-mails to individuals, the attackers used a "watering hole" attack—compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors.

"The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."

Through forensic analysis, Facebook was able to identify the exploit and report it to Oracle. (Oracle had previously documented the flaw, but the company expedited the release of a patch when it learned an exploit of the problem was "in the wild.")

The exploit was used to download a collection of malware to victims' computers—a mix of tools that ran on both Windows and Apple computers. Facebook's security team has a dedicated malware researcher, Sullivan said, who was able to identify the malware. After analyzing it, the Facebook security team shared signature and forensic data from the malware with law enforcement and other companies.

Antivirus software was unable to detect the malware because "it was novel," said Sullivan. "The fact that the machines were patched didn't slow down the attackers."

An analysis of the activity of the malware showed that "they were trying to move laterally into our production environment," Sullivan said. The attackers gained "some limited visibility" into production systems, but a forensic review found no evidence that data was exfiltrated from that. However, some of the information on the laptops themselves—"what you typically find on an engineer's laptop," Sullivan said—was harvested by the hackers, including corporate data, e-mail, and some software code.

This is not a drill

The exploit that was used to attack Facebook is just the latest in a long string of well-publicized security issues related to Java browser plugins. Facebook had begun work to reduce its exposure to Java exploits even before this attack was discovered. "We had already started an initiative to reduce our dependence on products that require Java plugins," Sullivan said. "But it's hard to do, because there are so many enterprise applications that require it."

But while disabling Java would block already existing attacks, Sullivan added, it wouldn't eliminate the risk of future threats. "If it wasn't a Java plugin vulnerability, it could have been another," he said.

Sullivan pointed to the ongoing security drills that Facebook conducts (as recently reported by Ars' Dan Goodin) as being key to the company's ability to quickly detect and respond to the attack. "The fact hat we do those drills and have people trained to deal with these situations meant we were able to work really quickly to get the problem resolved," he said. "People stayed cool under fire. To me, that felt like a good kind of response to a bad situation."