Mystery hackers are “hyperjacking” targets for insidious spying

Virtual machines are hosted on just one physical machine, and have been offered a way to vastly increase computers' efficiency for decades. For almost as long, security researchers have warned about the potential dark side of that technology: theoretical "hyperjacking" and "Blue Pill" attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with possibly no way for a targeted computer to detect the intrusion. There is a warning that one mysterious team of hackers has carried out a spree of attacks in the wild.

A hacker group has been installing malicious software on multiple targets' networks as part of an espionage campaign. The hackers were able to watch and run commands on the computers that the hypervisors oversaw by planting their own code in them. Because the malicious code targets the hypervisor on the physical machine instead of the victim's virtual machines, the hackers' trick increases their access and evades traditional security measures designed to monitor those target machines for signs of foul play.

Advertisement

“The idea that you can compromise one machine and from there have the ability to control virtual machines en masse is huge,” says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only “side effects” of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system.

The hackers were discovered by Mandiant and brought to the attention of the company. In less than 10 victims' networks across North America and Asia, the group has carried out their virtualization hacking. According to Mandiant, the hackers seem to be tied to China. The company says that the assessment is based on an analysis of the group's victims and some similarities between their code and that of other known software.