Cyber-security giant, FireEye claims to have uncovered new activity by a potential state- backed cyber-group or groups, according to their new threat intelligence report.
FireEye has confirmed that this group has been active for around a year and has made off with “vast amounts of information from visitors to websites including military executives, diplomats and government officials across the US and Europe
FireEye believes that these actors are using the same tactics marketeers use to track the online footprint of customers, to target high-level government members and diplomats. Jens Monrad, a systems engineer at FireEye spoke to SCMagazineUK.com saying that, "based on the over 100 websites we have observed, more than 50 percent of those compromised websites are either directly or indirectly affiliated with governments across the globe. We think the primary audience would be global travelers, like American and European diplomats, military personnel, and government officials. In our estimate, this indicates a potential target list that would include obtaining information about these types of people." This particular threat actor, added Monrad, seems to be particularly interested in Eastern European countries like Russia, Ukraine and Georgia.
Normal marketeers use analytics to see what their customers want and create a profile of how to better reach them and sell to their target audience. In the same way, these nefarious ‘threat actors' start out by looking to see what kinds of websites their targets visit using the analytics and open source software that orthodox marketers might use.
From there, these ‘threat actors' compromise websites popular with their apparent targets. The report notes that,“The websites are not randomly chosen targets of opportunity, but specifically selected as part of a tactic called a strategic web compromise.(SWC)”. Also known as a “watering hole” attack”; unlike active forms of attack such as spear-phishing, the SWC passivelycollects users information by putting exploit code into the HTML websites the targeted users normally visit. If such a targeted user visits this website, they will activate the trap and can have malware installed on their device
The report says that “the individuals behind this activity have amassed vast amounts of information on web traffic and visitors to more than 100 websites – sites that the threat actors have selectively compromised to gain access to their collective audience.”
Once the trap is sprung by the targeted user, they are quietly redirected to a website, which runs what FireEye calls the WITCHCOVEN script which goes about collecting information about the user's computer. And all of this using the same kind of analytics that retailers use to better market their products and the open source tools that web developers use to create and manage websites. It's the cyber-analogue of making napalm out of frozen orange juice concentrate and gasoline.
FireEye notes that it has not yet seen the information collected using the WITCHCOVEN script: “So far nothing we have described is overtly malicious. No exploit code has been delivered. No website visitors have been compromised.” While the kind of information the WITCHCOVEN collects can be used for the aforementioned legitimate purposes, FireEye suspect a more nefarious purpose. They've speculated that the kind of information collected could be used for things like identifying unpatched applications that might be used to hack into the victim's system; identifying the user or their organisation and help the attackers better profile their targets and their targets' systems.
But why does FireEye suspect a nation state and not your average cyber-criminal? Monrad filled SC in: "we doubt cyber criminals would go to such length to collect this information, especially from websites that we suspect are not collecting financial or transaction data." Theirs is the long game. According to Monrad, FireEye weighed up three factors. First, the scope of the operation FireEye identified "needs substantial resources to process their information." Second, the fact they haven't tried to do anything malicious with the information collected suggests an intelligence angle, implying the group involved are trying to "limit their exposure" in the same way other nation -state actors do. Third, and most obvious is the fact that the targets involved would all be of interest to foreign intelligence agencies and nation states.