DOL’s “nuclear-related” web pages sent out a “Watering Hole” attack in April 2013. In a “Watering Hole” attack, the bad guys target a specific group of people and set malware traps on web pages that the group is likely to visit. So when visitors went on DOL’s nuclear pages, they received malware from the rogue Internet domain “dol.nso1.us.”This was all openly discussed in computer security circles back 2013, on a Cisco Systems blog, which has details that someone at Borepatch's level could understand, but I don't.
It's a truism that we should "never attribute to malice that which can be explained by stupidity", and it may be stupidity that's going on here. May be. To borrow a key phrase (I think!) from the Cisco coverage,
An nmap TCP connection scan of the IP indicates a Windows box, it is interesting that the MSRPC service is not being firewalled. MSRPC is a very rich attack surface on unpatched/unmaintained machines. It is possible that this could be a compromised machine.Which means that DOL may have just been idiots about handling their computers and the group that put it on their computer is someone else. Why? Again, Cisco:
AlienVault has reported that the web page hosting the exploit contained advanced reconnaissance techniques designed to gather information about the targeted systems which visited the page. This included antivirus and various browser plug-in information. This information will likely be used to facilitate and ensure the success of future attacks. Despite initial reports, CrowdStrike has not yet come to the conclusion that the command and control is related to DeepPanda. If it is, this could mean this is part of an advanced exploit kit.The code name DeepPanda is used for a so-called, "known Chinese actor", and they're saying they hadn't concluded it was DeepPanda. Checking the CrowdStrike page tonight shows no updates since 3 May 2013. What if it was? Does that mean the Chinese are interested in who is looking at the US Department of Labor computers?
I think it's the nature of this sort of report that we may never know. The malicious domain that dropped the malware payload dol.ns01.us may look official, but in reality it belongs to a company named changeip.org. Changeip.org offers “Free Dynamic DNS” among other services. Essentially, a changeip.org customer pays for a base domain name, then if the third-level name is available, it’s included for free. The "burner cellphone" of cyber attackers?