Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

State-Sponsored Attackers Use Web Analytics for Reconnaissance

A threat group believed to be sponsored by a nation state has compromised over 100 websites in an effort to track and profile potential targets, FireEye reported on Monday.

A threat group believed to be sponsored by a nation state has compromised over 100 websites in an effort to track and profile potential targets, FireEye reported on Monday.

The reconnaissance campaign, which FireEye has been tracking since last year, is similar and possibly related to the activities of the Russia-linked advanced persistent threat (APT) group identified as Waterbug (Symantec) and Turla (Kaspersky Lab). The actor is mainly known for its operations involving malware toolkits such as Turla (Snake/Uroburos) and Epic Turla (Wipbot/Tavdig).

Web analytics allows advertisers and other organizations to measure web traffic and determine the most efficient ways of reaching the targeted audience. However, the same tools and techniques can also be leveraged by malicious actors.

According to FireEye, attackers have used web analytics and open source tools to collect data about potential victims and their devices, information they can use to track and profile targets and possibly infect them with malware.

The group monitored by the security firm has hijacked more than 100 carefully selected websites in what is referred to as a strategic web compromise. On these websites, the malicious hackers injected a small piece of code that silently redirects visitors to a second compromised website that hosts a profiling script.

The script, dubbed by FireEye “WITCHCOVEN,” collects the victim’s computer and browser configuration and deploys a persistent tracking cookie, also known as a “supercookie,” on their device.

“We believe the actors analyze the collected data to identify unique users and pair them with information about their computer to later deploy exploits tailored to their particular software and computer configuration,” FireEye said in its report.

For example, if the attackers determine that the targeted user is running outdated software that is known to contain serious vulnerabilities, they can easily hack their machine using available exploits, without the need to expose zero-days. Zero-day exploits are likely used only against a limited number of victims whose computers are fully patched, FireEye explained.

Advertisement. Scroll to continue reading.

FireEye says this tactic has been used in targeted operations by other APT groups, including the Chinese actor APT3 in Operation Clandestine Wolf, and the Russian group APT28 in Operation Russian Doll.

The data collected by the threat group observed by FireEye can also be useful for creating well-crafted spear phishing emails, for building a user profile that can be leveraged for traditional espionage, and creating a database of potential targets, the security firm said.

FireEye has determined that the more than 100 compromised websites are likely to be visited by people interested in international travel, diplomacy, international economics, energy production and policy, and government matters. The list of targets includes government, embassy, higher education and research, entertainment and culture, NGO, international law, media, consumer goods and retail, energy, construction and engineering, visa services, and high tech websites in tens of countries across the world.

Of particular interest appear to be executives, military personnel, government officials, and diplomats from Europe and the United States.

FireEye customers in sectors such as education, government, financial services, energy and utilities, legal, healthcare, entertainment, media, hospitality, manufacturing, services and consulting, and high tech have reported seeing WITCHCOVEN infections.

The security firm believes the reconnaissance campaign is sponsored by a nation state based on the profile of the targeted entities, the scale of the activity and the scope of the operation, and the lack of obvious exploit or malware delivery, which indicates that the attackers want to limit exposure of their tools most likely because they are running a long-term operation with specific intelligence requirements.

Related Reading: Researchers Hack Infrastructure of Iran-Linked Cyber Spies

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Raj Dodhiawala has been named Chief Product Officer at Eclypsium.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.