An attack campaign described as having plenty of potential has collected extensive information from the internet and compromised selected websites. Huge amounts of important information on web traffic and visitors from more than 100 websites have been gathered. Researchers at FireEye have found that the threat actors are more than likely connected with the Russian government as state-sponsored attackers.
Visitors are redirected from specific websites by a profiling script known as WITCHCOVEN. A small bit of inserted code redirects the user's browser to a second compromised website, which hosts the WITCHCOVEN script unbeknown to the user in order to track, profile and infect the victims with targeted malware.
“We believe that the computer profiling data gathered by the WITCHCOVEN script, combined with the evercookie that persistently identifies a unique user, can - when combined with basic browser data available from HTTP logs – be used by cyber-threat actors to identify users of interest, and narrowly target those individuals with exploits specifically tailored to vulnerabilities in their computer system,” said the researchers from FireEye. So tracking and analytics not only play a role in online advertising, but also assist attackers with finding possible targets and their weaknesses.
FireEye has identified 14 websites hosting the WITCHCOVEN script. Based on the content of the compromised websites, it believes the threat actors are interested in gathering data from executives, diplomats, government officials and military personnel, specifically in the US and Europe.