China has been blamed for a covert watering hole attack on a Content Delivery Network used by the Afghanistan government to host its official departmental websites.
Security firm ThreatConnect’s Intelligence Research Team (TCIRT) spotted the targeted cross site scripting drive-by attack, which affected numerous Afghan government sites including the Ministry of Foreign Affairs, Finance, Justice, Education, and even the Afghan Embassy in Canberra.
The javascript URL in question is probably a legitimate one the attackers have turned malicious by altering the script, TCIRT said in a blog post.
“Note that the gov.af websites would not need to be compromised individually for this attack to be delivered to visitors of the sites, because it is the back-end CDN infrastructure that is serving up the malicious script,” it said.
China is suspected of being behind the so-called 'Operation Poisoned Helmand' attack for two main reasons.
First, it came during a high profile bilateral meeting on development between Chinese premier Li Keqiang and Afghan CEO Abdullah Abdullah. In fact, the image of the two which was used to spread the malware was modified by the attackers just hours after it was likely taken, TCIRT claimed.
A similar tactic was apparently used back in June when Li met Greek prime minister Antonis Samaras in Athens and a malicious Java file was found hosted on the Embassy of Greece in Beijing.
Secondly, TCIRT claimed that the malicious Java applet found in the most recent attack shares the same source code as another which it spotted at a URL connected with the Operation Poisoned Hurricaine attacks which have been linked to China in the past.
TCIRT concluded:
“By exploiting and co-opting Afghan network infrastructure that is used by multiple ministerial level websites, Chinese intelligence services would be able to widely distribute malicious payloads to a variety of global targets using Afghanistan’s government websites as a topical and trusted distribution platform, exploiting a single hidden entry point. This being a variant of a typical ‘watering-hole’ attack, the attackers will most likely infect victims outside the Afghan government who happened to be browsing any one of the CDN client systems, specifically, partner states involved in the planned troop reduction.”