Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

State-Sponsored Attackers Use Web Analytics for Reconnaissance

A threat group believed to be sponsored by a nation state has compromised over 100 websites in an effort to track and profile potential targets, FireEye reported on Monday.

A threat group believed to be sponsored by a nation state has compromised over 100 websites in an effort to track and profile potential targets, FireEye reported on Monday.

The reconnaissance campaign, which FireEye has been tracking since last year, is similar and possibly related to the activities of the Russia-linked advanced persistent threat (APT) group identified as Waterbug (Symantec) and Turla (Kaspersky Lab). The actor is mainly known for its operations involving malware toolkits such as Turla (Snake/Uroburos) and Epic Turla (Wipbot/Tavdig).

Web analytics allows advertisers and other organizations to measure web traffic and determine the most efficient ways of reaching the targeted audience. However, the same tools and techniques can also be leveraged by malicious actors.

According to FireEye, attackers have used web analytics and open source tools to collect data about potential victims and their devices, information they can use to track and profile targets and possibly infect them with malware.

The group monitored by the security firm has hijacked more than 100 carefully selected websites in what is referred to as a strategic web compromise. On these websites, the malicious hackers injected a small piece of code that silently redirects visitors to a second compromised website that hosts a profiling script.

The script, dubbed by FireEye “WITCHCOVEN,” collects the victim’s computer and browser configuration and deploys a persistent tracking cookie, also known as a “supercookie,” on their device.

“We believe the actors analyze the collected data to identify unique users and pair them with information about their computer to later deploy exploits tailored to their particular software and computer configuration,” FireEye said in its report.

For example, if the attackers determine that the targeted user is running outdated software that is known to contain serious vulnerabilities, they can easily hack their machine using available exploits, without the need to expose zero-days. Zero-day exploits are likely used only against a limited number of victims whose computers are fully patched, FireEye explained.

Advertisement. Scroll to continue reading.

FireEye says this tactic has been used in targeted operations by other APT groups, including the Chinese actor APT3 in Operation Clandestine Wolf, and the Russian group APT28 in Operation Russian Doll.

The data collected by the threat group observed by FireEye can also be useful for creating well-crafted spear phishing emails, for building a user profile that can be leveraged for traditional espionage, and creating a database of potential targets, the security firm said.

FireEye has determined that the more than 100 compromised websites are likely to be visited by people interested in international travel, diplomacy, international economics, energy production and policy, and government matters. The list of targets includes government, embassy, higher education and research, entertainment and culture, NGO, international law, media, consumer goods and retail, energy, construction and engineering, visa services, and high tech websites in tens of countries across the world.

Of particular interest appear to be executives, military personnel, government officials, and diplomats from Europe and the United States.

FireEye customers in sectors such as education, government, financial services, energy and utilities, legal, healthcare, entertainment, media, hospitality, manufacturing, services and consulting, and high tech have reported seeing WITCHCOVEN infections.

The security firm believes the reconnaissance campaign is sponsored by a nation state based on the profile of the targeted entities, the scale of the activity and the scope of the operation, and the lack of obvious exploit or malware delivery, which indicates that the attackers want to limit exposure of their tools most likely because they are running a long-term operation with specific intelligence requirements.

Related Reading: Researchers Hack Infrastructure of Iran-Linked Cyber Spies

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...