Cyber Incident Victim: Lenovo
Date:
Feb 2015
Location:
United States of America
Summary
Attackers compromised the company's domain registrar account, hijacking its primary domain to redirect web and email traffic to malicious servers under their control. This allowed interception of employee communications and impersonation of web pages, with fraudulent MX records enabling email access until a third-party security provider intervened to restore services. The incident occurred amid criticism over preinstalled adware that undermined HTTPS security, and the attackers displayed protest imagery linking to critical social media content. Law enforcement attention was anticipated due to the severity of the domain takeover and potential data exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late February 2015, attackers gained control of Lenovo's primary domain (Lenovo.com) by compromising an account at domain registrar Web Commerce Communications. The attackers altered the domain's DNS records, redirecting web and email traffic to servers under their control instead of Lenovo's legitimate infrastructure. This hijacking occurred approximately one week after public disclosures revealed Lenovo had preinstalled Superfish adware on consumer laptops—software that compromised HTTPS security by enabling unauthorized ad injections and facilitating website spoofing. CloudFlare security researcher Marc Rogers identified the breach within minutes of its occurrence, noting the attackers had modified MX (mail exchange) records to intercept emails sent to Lenovo employees. CloudFlare seized control of the fraudulent account hosted on its infrastructure, removed the malicious DNS entries, and collaborated with Lenovo to restore services. The domain hijack bypassed Lenovo's servers entirely, directing users to attacker-controlled systems without visible warnings.
During the attack, visitors to Lenovo.com encountered a slideshow featuring images of a young woman in a bedroom, which linked to a Twitter account (@LizardCircle) criticizing Lenovo's Superfish practices. The compromised domain enabled attackers to spoof any Lenovo.com email address and access inbound corporate communications until CloudFlare intervened. Lenovo confirmed the cyber attack in a revised public statement, acknowledging website redirection and partial service disruptions while emphasizing ongoing restoration efforts. The company initiated internal security reviews and third-party collaborations to investigate the incident's full scope, including potential data integrity risks. Law enforcement attention was anticipated due to email interception capabilities. CloudFlare's infrastructure involvement provided potential forensic advantages for identifying the attackers, though no attribution details were disclosed in immediate reports. Lenovo's public communications expressed regret for user inconvenience but did not specify operational or financial impacts beyond temporary website and email system outages.