Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Hackers Suspected of Attacking Government Sites in Afghanistan

The visitors of several official Afghan government websites might have had their devices infected with malware after a threat group believed to have ties to China compromised the sites through a content delivery network (CDN), a new report has revealed.

The visitors of several official Afghan government websites might have had their devices infected with malware after a threat group believed to have ties to China compromised the sites through a content delivery network (CDN), a new report has revealed.

Chinese threat actors have often been suspected of targeting the systems of high-profile organizations in the United States. However, according to a report from threat intelligence company ThreatConnect, China-based groups appear to be targeting other countries as well.

Members of the ThreatConnect Intelligence Research Team (TCIRT) discovered that malicious actors compromised a JavaScript file hosted on, a domain used by the Afghan Ministry of Communications and IT to host content that is displayed on several websites.

By altering the content of a single JavaScript file hosted on the CDN domain, the attackers managed to deliver a malicious Java applet to numerous sites that called the compromised resource. Researchers said this was a targeted cross-site scripting (XSS) “drive-by” attack. On Monday, only Kaspersky solutions detected the Java applet as being malicious, but on Sunday the threat was not flagged by any of the antivirus engines on Virus Total.

The list of affected websites includes the Afghan Embassy in Canberra, Australia, the Ministry of Foreign Affairs, the Ministry of Education, the Ministry of Justice, the Office of Administrative Affairs and Council of Ministers, the Ministry of Commerce and Industries, the Ministry of Finance, and the Ministry of Women’s Affairs.

Researchers believe the campaign, which they have dubbed Operation Helmand, is tied to China because the compromised JavaScript file, gop-script.js, was modified on the same day and at around the same time that China’s Prime Minister Li Keqiang met Abdullah Abdullah, the Chief Executive Officer of Afghanistan, in Kazakhstan.

A similar incident was spotted this summer when the website of the embassy of Greece in Beijing was compromised just as China’s prime minister visited his Greek counterpart in Athens.

While some might argue that these were just coincidences, experts have also found links between the attack on Afghan government websites and other campaigns that have been tied to China, including Operation Poisoned Hurricane. Similarities also exist between the malware and the notorious PlugX RAT, a threat often used by Chinese advanced persistent threat (APT) actors, including against targets in Afghanistan.

“As the US and NATO reduce their troop levels in Afghanistan, China is posturing to fill the gap of influence that the west is leaving behind. With plans to facilitate multilateral peace talks with the Taliban and establish major transportation projects which aim to bolster the Afghan economy, Beijing has been eying Afghanistan as part of its broader South Asian strategy,” ThreatConnect explained in a blog post.

“By exploiting and co-opting Afghan network infrastructure that is used by multiple ministerial level websites, Chinese intelligence services would be able to widely distribute malicious payloads to a variety of global targets using Afghanistan’s government websites as a topical and trusted distribution platform, exploiting a single hidden entry point,” the security firm said. “This being a variant of a typical ‘watering-hole’ attack, the attackers will most likely infect victims outside the Afghan government who happened to be browsing any one of the CDN client systems, specifically, partner states involved in the planned troop reduction.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...