The curious case of a reconnaissance campaign targeting ministry and embassy sites
Forcepoint Security Labs™ came across a malicious reconnaissance campaign that targets websites. It is unknown what is the intent behind the campaign as of this writing, however, the profile of the targets resembles those that are common targets of Advanced Persistent Threat (APT) actors. As the attack is currently active, it effectively turns compromised sites into attack surfaces against their visitors.
Furthermore, the injections resemble those used by the Turla group, such as those previously documented by Swiss GovCERT last year. In this post, we will share our findings on this campaign's targets and injected code as well as provide insights to its timeline.
The majority if the targeted sites were ministry and embassy sites although sites with different profiles were also compromised. Below is a list of the affected sites we have observed:
- Foreign affairs ministries of Kyrgyzstan, Moldova and Uzbekistan
- Embassy sites of Iraq, Jordan, Zambia and Russia
- A political party in Austria
- A government-run, sustainability site in Austria
- A sports association in Austria
- A Somalian news site
- A socialist organization in Spain
- An international cooperation organization based in France
- An African union site
- A road safety site from Ukraine
- An African plant society
Interestingly, all of the targeted embassy sites were embassies located in Washington, D.C., United States. Forcepoint has notified the administrators of the sites that were confirmed to be compromised.
Target websites were compromised with a code that looks like a web analytics script from the web analytics service, Clicky. A snippet of the injected code is as follows:
As reported by the Swiss GovCERT, the Turla group is known to use Google Analytics scripts to disguise their malicious code on compromised websites. They then evaluate compromised sites' visitors, through fingerprinting and an IP target list, before a malicious payload is served. These techniques are strikingly similar to this campaign wherein the injected codes are disguised as a Clicky web analytics script. In addition, the above HTTP response suggests that it is simply used to cover the malicious activity to visitors outside the attackers' interest.
The actors behind the campaign actively manages the injected scripts. For instance, we have seen them comment out their injected script in a particular site for a certain period and then reactivate it again. Injected scripts are also updated with new malicious sites.
The campaign dates as far back as December 2015 when the first malicious domain used for the landing page, nbcpost[.]com, was registered. In November 2016, compromised sites were then updated with new landing sites using the domains epsoncorp[.]com and mentalhealthcheck[.]net - both were registered in February 2016. Just this week, they updated their landing page yet again under a new domain, travelclothes[.]org, which was registered on November 2016.
Meanwhile, the earliest compromise we have seen is April 2016 and the majority of the affected sites we have observed appears to have been compromised at that time. Some sites were compromised for a brief period, while some remained compromised for as long as 10 months.
Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:
Stage 2 (Lure) - The injected code on the compromised site is detected and the site is blocked.
This post describes a reconnaissance campaign that actively obtains foothold on government and private websites. The tactics and the targeting of this campaign overlaps with those of the Turla group. However, no conclusive evidence is available to confirm a relationship between the two and the motive behind this campaign is yet to be uncovered. It is recommended that website administrators review their websites for similar injections to prevent their visitors from being subject to a potential attack.
We would like to clarify that the Clicky web analytic platform is not being used for malicious purposes and is only used as a disguise for this campaign. We would also like to thank Clicky for sharing their insights during our investigation.
With additional insights from Nicholas Griffin and Sindyan Bakkal.
Indicators of Compromise
hxxp://rss.nbcpost[.]com/news/today/content.php hxxp://drivers.epsoncorp[.]com/plugin/analytics/counter.js hxxp://www.mentalhealthcheck[.]net/update/check.php hxxp://www.mentalhealthcheck[.]net/update/counter.js hxxp://static.travelclothes[.]org/main.js