State report reveal 130 compromised websites used in travel-related watering hole attacks
By Bill Gertz
One hundred thirty websites are hosting malicious software on their websites in what the State Department is calling a sophisticated Russian cyber spying operation, according to security analysts.
“These websites include news services, foreign embassies and local businesses that were compromised by threat actors to serve as ‘watering holes,’” according to a report by the Overseas Security Advisory Council distributed this week. A watering hole is a hijacked website used by cyber attackers to deliver malware to unsuspecting victims.
“For example, users may navigate to one of these malicious sites with the intent of checking travel requirements or the status of a visa application and unknowingly download the embedded malware onto their computers,” the report said.
The report identified the locations of the compromised websites as the United States, South America, Europe, Asia, India and Australia.
The report appears to indicate Russian intelligence may be behind the operations. Also, none of the compromised websites are in China, an indication that Beijing’s hackers could be involved.
A total of 15 of the 130 websites used for watering holes were government embassy websites located in Washington, DC, and two were involved in passport and visa services and others are offering travel services.
The embassy targeting suggests some or all of the operations are linked to foreign intelligence services that are breaking into the networks as part of tracking and monitoring of foreign travel.
Another possibility is that the operation are part of information warfare efforts designed to influence policies and publics. Both Russia and China are engaged in significant strategic information operations targeting foreign governments and the private sector.
“The threat actors are likely attempting to gather information from entities with vested interests in international operations,” the report said. “Identified victims in this sector include embassies, defense industrial base groups, and think tanks.”
The report, based on data provided by the security firm iSight Partners, says the watering holes are likely part of cyber espionage operations.
“Analysis indicates this campaign has a global reach, continuing to target users of identified intelligence value long after the initial infection,” the report says.
The compromised websites are increasingly functioning as indirect malicious software attack tools. The compromised sites represent a different method than widely used spear phishing – the use of emails to trigger malicious software downloads.
“Rather than send a malicious email directly to a target of interest, threat actors research and compromise a high-traffic website that will likely be visited by numerous targets of interest,” the report said.
“Watering holes are effective, as they often exploit existing vulnerabilities on a user’s machine,” the report said. More sophisticated threat actors have been observed employing zero-day exploits – those which are previously unknown and evade antivirus and intrusion detection systems (IDS) to successfully compromise victims. Zero-days were used in the widely publicized Forbes.com watering hole in late 2014.”
The hijacked websites appear to be part of a campaign spanning 26 upper-level Internet domains and include affiliations with 21 nations and the European Union.
According to iSight, evidence suggests the campaign is “likely tied to cyber espionage operations with a nexus to the Russian Federation.”
The compromised government websites included those from Afghanistan, Iraq, Jordan, Namibia, Qatar and Zambia. The report recommended not visiting any of those embassy websites or risk being infected with malware.
Technically, the attackers arranged for computer users who visited the compromised websites to be infected with an embedded JavaScript that redirected users to a Google-shortened URL, and then on to websites the mapped their computer systems. This “profiling” is used by cyber spies to identify valuable targets and control that specific victims who are injected with a malware payload.
The profiling is used to identify targets that will produce “high intelligence value” returns, indicating sophisticated cyber spies are involved. The infection also employed a technique called the use of “evercookie” a derivative of the small files that are inserted on computers and can be used by remote servers to tailor information, such as advertisements, to specific user.
While normal cookies can be easily removed, evercookies store data in multiple locations, a method that makes them extremely difficult to find and removed. The use of evercookies also permits long-term exploitation by cyber attackers.
To counter watering hole attacks, users should make sure system and software security updates are applied, and avoid visiting suspicious websites.
In particular, network monitoring should be used to spot unusual activities, specifically geared toward attacks that exploit zero-day vulnerabilities.
“The threat of watering holes is likely to remain high, given their increasing popularity and success in the last year,” the report said.
The report, “Compromised Global Websites Target Unsuspecting Travelers,” was produced by OSAC’s Research & Information Support Center (RISC). It is available for OSAC members at osac.gov. *** But there is more.
SAN FRANCISCO (Reuters) – Hacking attacks that destroy rather than steal data or that manipulate equipment are far more prevalent than widely believed, according to a survey of critical infrastructure organizations throughout North and South America.
The poll by the Organization of American States, released on Tuesday, found that 40 percent of respondents had battled attempts to shut down their computer networks, 44 percent had dealt with bids to delete files and 54 percent had encountered “attempts to manipulate” their equipment through a control system.
Those figures are all the more remarkable because only 60 percent of the 575 respondents said they had detected any attempts to steal data, long considered the predominant hacking goal.
By far the best known destructive hacking attack on U.S. soil was the electronic assault last year on Sony Corp’s Sony Pictures Entertainment, which wiped data from the Hollywood fixture’s machines and rendered some of its internal networks inoperable.
The outcry over that breach, joined by President Barack Obama, heightened the perception that such destruction was an unusual extreme, albeit one that has been anticipated for years.
Destruction of data presents little technical challenge compared with penetrating a network, so the infrequency of publicized incidents has often been ascribed to a lack of motive for attackers.
Now that hacking tools are being spread more widely, however, more criminals, activists, spies and business rivals are experimenting with such methods.
“Everyone got outraged over Sony, but far more vulnerable are these services we depend on day to day,” said Adam Blackwell, secretary of multidimensional security at the Washington, D.C.-based group of 35 nations.
The survey went to companies and agencies in crucial sectors as defined by the OAS members. Almost a third of the respondents were public entities, with communications, security and finance being the most heavily represented industries.
The questions did not delve into detail, leaving the amount of typical losses from breaches and the motivations of suspected attackers as matters for speculation. The survey-takers were not asked whether the attempted hacks succeeded, and some attacks could have been carried off without their knowledge.
The survey did allow anonymous participants to provide a narrative of key events if they chose, although those will not be published.
Blackwell told Reuters that one story of destruction involved a financial institution. Hackers stole money from accounts and then deleted records to make it difficult to reconstruct which customers were entitled to what funds.
“That was a really important component” of the attack, Blackwell said.
In another case, thieves manipulated equipment in order to divert resources from a company in the petroleum industry.
Blackwell said that flat security budgets and uneven government involvement could mean that criminal thefts of resources, such as power, could force blackouts or other safety threats.
At security company Trend Micro Inc. , which compiled the report for the OAS, Chief Cybersecurity Officer Tom Kellermann said additional destructive or physical attacks came from political activists and organized crime groups.
“We are facing a clear and present danger where we have non-state actors willing to destroy things,” he said. “This is going to be the year we suffer a catastrophe in the hemisphere, and when you will see kinetic response to a threat actor.”
So-called “ransomware,” which encrypts data files and demands payment be sent to remote hackers, could also have been interpreted as destructive, since it often leaves information unrecoverable.
A spokesman for the U.S. Department of Homeland Security, SY Lee, said the department did not keep statistics on how often critical U.S. institutions are attacked or see destructive software and would not “speculate” on whether 4 out of 10 seeing deletion attempts would be alarming.
U.S. political leaders cite attacks on critical infrastructure as one of their greatest fears, and concerns about protecting essential manufacturers and service providers drove a recent executive order and proposed legislation to encourage greater information-sharing about threats between the private sector and government.
Yet actual destructive attacks or manipulation of equipment are infrequently revealed. That is in part because breach-disclosure laws in more than 40 states center on the potential risks to consumers from the theft of personal information, as with hacks of retailers including Home Depot Inc and Target Corp.
Under Securities and Exchange Commission guidelines, publicly traded companies must disclose breaches with a potential material financial impact, but many corporations can argue that even deletion of internal databases, theft and manipulation of equipment are not material.
Much more is occurring at vital facilities behind the scenes, and that is borne out by the OAS report, said Chris Blask, who chairs the public-private Information Sharing and Analysis Center for cybersecurity issues with the industrial control systems that automate power, manufacturing and other processes.
“I don’t think the public has any appreciation for the scale of attacks against industrial systems,” Blask said. “This happens all the time.”
