Forcepoint Security experts have came across a malicious reconnaissance campaign that targets websites. It is unknown what is the intent behind the campaign as of this writing, however, the profile of the targets resembles those that are common targets of Advanced Persistent Threat (APT) actors. As the attack is currently active, it effectively turns compromised sites into attack surfaces against their visitors.
Furthermore, the injections resemble those used by the Turla group, such as those previously documented by Swiss GovCERT last year. In this post, we will share our findings on this campaign’s targets and injected code as well as provide insights to its timeline.
The majority if the targeted sites were ministry and embassy sites although sites with different profiles were also compromised. Below is a list of the affected sites we have observed:
Interestingly, all of the targeted embassy sites were embassies located in Washington, D.C., United States.
As reported by the Swiss GovCERT, the Turla group is known to use Google Analytics scripts to disguise their malicious code on compromised websites. They then evaluate compromised sites’ visitors, through fingerprinting and an IP target list, before a malicious payload is served. These techniques are strikingly similar to this campaign wherein the injected codes are disguised as a Clicky web analytics script. In addition, the above HTTP response suggests that it is simply used to cover the malicious activity to visitors outside the attackers’ interest.
The actors behind the campaign actively manages the injected scripts. For instance, we have seen them comment out their injected script in a particular site for a certain period and then reactivate it again. Injected scripts are also updated with new malicious sites.