Mystery Hackers Are ‘Hyperjacking’ Targets for Insidious Spying

"While there is no VMware vulnerability involved, we are highlighting the need for strong operational security practices that include securecredential management and network security." The company pointed to a guide to strengthen the setup of VMware against this type of hacking, as well as better measures to make sure that the software is not tampered with.

Security researchers theorize that hyperjacking can be used to spy on or manipulate victims using virtualization software. In a paper that year, Microsoft and University of Michigan researchers described the potential for hackers to install a malicious hypervisor on a target machine that puts the victim inside a virtual machine without the victim's knowledge. Everything on the target machine would be under the control of the hacker if they were able to control that malicious hypervisor. The researcher dubbed her own version of the technique a Blue Pill attack since it trapped the victim in a seamless environment without their knowledge.

A well-known cybersecurity researcher who gave a talk at the Black Hat security conference in the summer of 2006 argues that what Mandiant observed isn't the same as the Blue Pill. In those theoretical attacks, a hacker makes a new hypervisor without the victim's knowledge, while in the cases Mandiant discovered, the spies hijacked existing ones. He points out that this is an easy and effective technique that he has been expecting for a long time. Dai Zovi has always thought it was possible. Full access to any of the virtual machines running on that hypervisor is given by that position.

Two to five virtual machines can run on any physical computer, and there are often thousands of virtual machines on an organization's network. Dai Zovi said that there was a lot of scale and leverage. It's a good return for an attacker.

In its writeup of the hacking campaign, Mandiant suggests that attackers may be turning to hyperjacking as part of a larger trend of compromising network elements that have less rigorous monitoring tools. It's surprising that the technique hasn't been put to malicious use earlier

Mandiant's Marvi says that people always raise their eyebrows when they first hear about the technology. It has happened.