Security Experts:

State-Sponsored Attackers Use Web Analytics for Reconnaissance

A threat group believed to be sponsored by a nation state has compromised over 100 websites in an effort to track and profile potential targets, FireEye reported on Monday.

The reconnaissance campaign, which FireEye has been tracking since last year, is similar and possibly related to the activities of the Russia-linked advanced persistent threat (APT) group identified as Waterbug (Symantec) and Turla (Kaspersky Lab). The actor is mainly known for its operations involving malware toolkits such as Turla (Snake/Uroburos) and Epic Turla (Wipbot/Tavdig).

Web analytics allows advertisers and other organizations to measure web traffic and determine the most efficient ways of reaching the targeted audience. However, the same tools and techniques can also be leveraged by malicious actors.

According to FireEye, attackers have used web analytics and open source tools to collect data about potential victims and their devices, information they can use to track and profile targets and possibly infect them with malware.

The group monitored by the security firm has hijacked more than 100 carefully selected websites in what is referred to as a strategic web compromise. On these websites, the malicious hackers injected a small piece of code that silently redirects visitors to a second compromised website that hosts a profiling script.

The script, dubbed by FireEye “WITCHCOVEN,” collects the victim’s computer and browser configuration and deploys a persistent tracking cookie, also known as a “supercookie,” on their device.

“We believe the actors analyze the collected data to identify unique users and pair them with information about their computer to later deploy exploits tailored to their particular software and computer configuration,” FireEye said in its report.

For example, if the attackers determine that the targeted user is running outdated software that is known to contain serious vulnerabilities, they can easily hack their machine using available exploits, without the need to expose zero-days. Zero-day exploits are likely used only against a limited number of victims whose computers are fully patched, FireEye explained.

FireEye says this tactic has been used in targeted operations by other APT groups, including the Chinese actor APT3 in Operation Clandestine Wolf, and the Russian group APT28 in Operation Russian Doll.

The data collected by the threat group observed by FireEye can also be useful for creating well-crafted spear phishing emails, for building a user profile that can be leveraged for traditional espionage, and creating a database of potential targets, the security firm said.

FireEye has determined that the more than 100 compromised websites are likely to be visited by people interested in international travel, diplomacy, international economics, energy production and policy, and government matters. The list of targets includes government, embassy, higher education and research, entertainment and culture, NGO, international law, media, consumer goods and retail, energy, construction and engineering, visa services, and high tech websites in tens of countries across the world.

Of particular interest appear to be executives, military personnel, government officials, and diplomats from Europe and the United States.

FireEye customers in sectors such as education, government, financial services, energy and utilities, legal, healthcare, entertainment, media, hospitality, manufacturing, services and consulting, and high tech have reported seeing WITCHCOVEN infections.

The security firm believes the reconnaissance campaign is sponsored by a nation state based on the profile of the targeted entities, the scale of the activity and the scope of the operation, and the lack of obvious exploit or malware delivery, which indicates that the attackers want to limit exposure of their tools most likely because they are running a long-term operation with specific intelligence requirements.

Related Reading: Researchers Hack Infrastructure of Iran-Linked Cyber Spies

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.