A new reconnaissance injection campaign, active since late 2015, is targeting the websites of embassies and government organizations in Washington D.C. and beyond.
According to Forcepoint Security Labs, the offensive remains active, effectively turning compromised sites into attack surfaces against their visitors.
The injection campaign is an example of the ongoing targeting of international government entities, perhaps in an attempt to continue to influence the geopolitical environment.
While most of the targets are embassies in Washington, other targets are part of the attacks as well:
- Foreign affairs ministries of Kyrgyzstan, Moldova and Uzbekistan
- Embassy sites of Iraq, Jordan, Zambia and Russia
- A political party in Austria
- A government-run, sustainability site in Austria
- A sports association in Austria
- A Somalian news site
- A socialist organization in Spain
- An international cooperation organization based in France
- An African union site
- A road safety site from Ukraine
- An African plant society
The origins behind the campaign are unknown; however, the profile of the targets resembles those that are common targets of advanced persistent threat (APT) actors bent on espionage, the firm said. The tactics displayed are very close to those used by the Turla Group, as observed previously by teams from both Kaspersky and Microsoft—but researchers warned to be careful with attribution.
“No conclusive evidence is available to confirm a relationship between the two and the motive behind this campaign is yet to be uncovered,” the firm said in an analysis. “It is recommended that website administrators review their websites for similar injections to prevent their visitors from being subject to a potential attack.”