Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Espionage Campaign Targets Foreign Policy Domains

In an apparent act of cyber espionage, as the acts are being called by Shadowserver researchers Steven Adair and Ned Moran, persons unknown have staged a series of strategic web compromises in order to spread malware. The attackers hijacked several websites related to matters of government and foreign policy, and used them to deliver malicious payloads to visitors by leveraging unpatched software flaws.

In an apparent act of cyber espionage, as the acts are being called by Shadowserver researchers Steven Adair and Ned Moran, persons unknown have staged a series of strategic web compromises in order to spread malware. The attackers hijacked several websites related to matters of government and foreign policy, and used them to deliver malicious payloads to visitors by leveraging unpatched software flaws.

“The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in,” the researchers explained.

Cyber EspionageWithin the last two weeks, the Shadowserver researchers have observed various compromised domains serving malware by leveraging two recently patched vulnerabilities in Adobe Flash and Java. In the case of the Java exploit that was observed being used by the as yet unknown attackers, the payloads will target both Windows and Mac OS X.

In fact, several otherwise legitimate foreign policy domains remain compromised. As of May 14, the Center for Defense Information, Amnesty International Hong Kong, and the Cambodian Ministry of Foreign Affairs, are compromised and serving malicious scripts, the researchers said.

While examining the compromise of the Center for Defense Information’s website, the researchers noted that the primary website hosting the Flash exploit has an IP address that is tied to Gannet Company, Inc. – publishers of USA Today, though the main USAT and Gannet websites remain harmless.

The group responsible for these attacks have hit other domains as well, including the International Institute of Counter-Terrorism at the Interdisciplinary Center (IDC) in Herzliya, Israel, and the International Service for Human Rights (ISHR). In each case, the malware ultimately delivered – a RAT (Remote Access Trojan) named Poison Ivy – means that the attacks fall under the term APT, or Advanced Persistent Threat.

Cyber Espionage attacks are not a fabricated issue and are not going away any time soon, the researchers warn. The attackers are clearly not out to make friends, they are out to steal and likely sell stolen information, and take whatever else they can get as a bonus.

Advertisement. Scroll to continue reading.

In the case of targeted attacks against humanitarian organizations, the costs of an attack can go much higher than lost data. Stolen information could translate to physical harm, depending on what is taken and where it ends up.

“The cold reality is that, in addition to APTs, most organizations aren’t protected from even the most basic of scripted attacks or common attack tools,” said Dave Marcus, director of advanced research & threat intelligence at McAfee Labs.

Shadowserver’s research can be found here.

Written By

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.