The visitors of several official Afghan government websites might have had their devices infected with malware after a threat group believed to have ties to China compromised the sites through a content delivery network (CDN), a new report has revealed.
Chinese threat actors have often been suspected of targeting the systems of high-profile organizations in the United States. However, according to a report from threat intelligence company ThreatConnect, China-based groups appear to be targeting other countries as well.
Members of the ThreatConnect Intelligence Research Team (TCIRT) discovered that malicious actors compromised a JavaScript file hosted on cdn.afghanistan.af, a domain used by the Afghan Ministry of Communications and IT to host content that is displayed on several .gov.af websites.
By altering the content of a single JavaScript file hosted on the CDN domain, the attackers managed to deliver a malicious Java applet to numerous sites that called the compromised resource. Researchers said this was a targeted cross-site scripting (XSS) “drive-by” attack. On Monday, only Kaspersky solutions detected the Java applet as being malicious, but on Sunday the threat was not flagged by any of the antivirus engines on Virus Total.
The list of affected websites includes the Afghan Embassy in Canberra, Australia, the Ministry of Foreign Affairs, the Ministry of Education, the Ministry of Justice, the Office of Administrative Affairs and Council of Ministers, the Ministry of Commerce and Industries, the Ministry of Finance, and the Ministry of Women’s Affairs.
Researchers believe the campaign, which they have dubbed Operation Helmand, is tied to China because the compromised JavaScript file, gop-script.js, was modified on the same day and at around the same time that China’s Prime Minister Li Keqiang met Abdullah Abdullah, the Chief Executive Officer of Afghanistan, in Kazakhstan.
A similar incident was spotted this summer when the website of the embassy of Greece in Beijing was compromised just as China’s prime minister visited his Greek counterpart in Athens.
While some might argue that these were just coincidences, experts have also found links between the attack on Afghan government websites and other campaigns that have been tied to China, including Operation Poisoned Hurricane. Similarities also exist between the malware and the notorious PlugX RAT, a threat often used by Chinese advanced persistent threat (APT) actors, including against targets in Afghanistan.
“As the US and NATO reduce their troop levels in Afghanistan, China is posturing to fill the gap of influence that the west is leaving behind. With plans to facilitate multilateral peace talks with the Taliban and establish major transportation projects which aim to bolster the Afghan economy, Beijing has been eying Afghanistan as part of its broader South Asian strategy,” ThreatConnect explained in a blog post.
“By exploiting and co-opting Afghan network infrastructure that is used by multiple ministerial level websites, Chinese intelligence services would be able to widely distribute malicious payloads to a variety of global targets using Afghanistan’s government websites as a topical and trusted distribution platform, exploiting a single hidden entry point,” the security firm said. “This being a variant of a typical ‘watering-hole’ attack, the attackers will most likely infect victims outside the Afghan government who happened to be browsing any one of the CDN client systems, specifically, partner states involved in the planned troop reduction.”