Norwegian browser maker Opera Software has confirmed that a targeted internal network infrastructure attack led to the theft of a code signing certificate that was used to sign malware.
The company did not provide specifics of the breach or provide any details on the subsequent malware attacks that took advantage of Opera’s update service.
“The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser,” Opera warned in a brief advisory.
The breach, which was discovered on June 19, 2013, was described as a targeted attack with limited impact.
“Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments,” Opera said.
However, Opera warned that it was possible that thousands of Windows users who were using the browser between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software.
Related Podcast: CSO Brad Arkin on Defending the Vault at Adobe
Opera plans to roll out a new version of its flagship browser which will use a new code signing certificate. There was no immediate word on when the new version will be released.
Falguni Bhuta, Sr. Communications Manager from Opera Software, told SecurityWeek that due to the ongoing investigation, they cannot talk about the incident in more detail.
“At the moment, we cannot go into details, as the matter has been reported to the authorities and is under investigation,” Bhuta said in an email to SecurityWeek. “This seems to be the result of a significant, targeted attack from sophisticated hackers, similar to the attacks towards other big web companies over the last year.”
The Opera breach signals a growing shift by organized hacking groups to target the internal infrastructure network at big companies that provide client side software to millions of end users.
It closely resembles the September 2012 attack at Adobe where a build server with access to the Adobe code signing infrastructure was compromised by what was described as “sophisticated threat actors.”
Stolen digital certificates are typically used in targeted attacks to sign malicious files for privilege escalation and lateral movement within an environment following an initial machine compromise.
In a recent SecurityWeek podcast, Brad Arkin, who was recently named as Adobe’s first Chief Security Officer (CSO), discussed a recent trend where attackers have shifted to targeting company infrastructure and operations, such as code-signing infrastructure, rather than attacking the software itself.
“We’ve gotten to the point where its hard enough to attack our software, that it’s now more attractive for bad guys to attack the engineering infrastructure that we use to build and operate our services and our code than it is to attack the services directly,” Arkin said.
Related Podcast: CSO Brad Arkin on Defending the Vault at Adobe
*Updated at 4:15PM ET to include response from Opera Software

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- OpenSSL Ships Patch for High-Severity Flaws
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities
- Gem Security Gets $11 Million Seed Investment for Cloud Incident Response Platform
- Ransomware Leads to Nantucket Public Schools Shutdown
- Sentra Raises $30 Million for DSPM Technology
- Saviynt Raises $205M; Founder Rejoins as CEO
- OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings
Latest News
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
- OpenSSL Ships Patch for High-Severity Flaws
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
