Croatian Government Targeted By Mystery Hackers

Uploaded on 2019-07-16 in TECHNOLOGY--Hackers, GOVERNMENT-National, FREE TO VIEW

A mysterious hacker group has targeted, and most likely infected, Croatian government employees between February and April this year. Attackers, which are suspected to be a state-sponsored unit, have targeted victims using a spear-phishing campaign that mimicked delivery notifications from the Croatian postal or other retail services.

Emails contained a link to a remote website with a lookalike URL, where users were asked to download an Excel document.
The document was laced with malicious code packed as a macro script which appeared to have been largely copied off the internet, from various tutorials or open source projects hosted on StackOverflow.com, Dummies.com, Issuu.com, Rastamouse.me, or GitHub.com.

The macro script, if enabled by the victim, would download and install malware on their systems. Two different sets of malware payloads were detected during these attacks.

  • The first was the Empire backdoor, a component of the Empire post-exploitation framework, a penetration testing utility. 
  • The second was SilentTrinity, another post-exploitation tool, similar to the first.

In a presentation at the Positive Hack Days (PHDays) security conference in May, Alexey Vishnyakov, a Senior Specialist in Threat Analysis for cyber-security firm Positive Technologies, said this was the first time when a malicious threat actor had weaponised the SilentTrinity tool in an active malware distribution campaign.

While they went under the radar for two months, the phishing attacks were eventually detected in early April. The Information Systems Security Bureau (ZSIS), the central state authority responsible for the cyber-security of the Republic of Croatia state bodies, issued two separate alerts about the attacks.

The state cyber-security agency shared indicators of compromise, such as file names, registry keys, URLs, and IP addresses for the attackers' command and control (C&C) servers, asking state agencies to check logs and scan computers for potential infections.

"The Croatian Post has already taken steps to remove the malicious web sites and servers, but both malware versions are currently active," the agency said. "With this malware, attackers can take control over a computer and execute arbitrary commands under the authority of the user who opened the XLS file and enabled to execute the macro commands."

In a report published on the 5th July 2019, Vishnyakov pointed out certain connections between the C&C servers used in this campaign targeting Croatian government agencies and past malware distribution operations.

The most important is a FireEye report about hackers using a WinRAR vulnerability to infect government targets in Ukraine with the same Empire backdoor, and using the same C&C server. While FireEye never attributed those attacks to a specific hacker group, the targeting of the Ukrainian government is specific to Russian threat actors, who have been targeting the country's officials and government agencies since 2014, when Russian troops invaded the Crimean-peninsula.

While Vishnyakov refrained from attributing these attacks to a specific threat actor, the researcher did note that "the available data on hosts, addresses, and domains used-as well as the high number of connections between them-suggests a large-scale malicious effort."

ZDNet:

You Migt Also Read: 

Cyberwar Vs. Traditional Conflict:

 

 

 

 

« Vietnam’s Top Hacking Group Uses Sloppy Code
AI Solves Beatles Songwriting Dispute »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CrowdStrike

CrowdStrike

CrowdStrike is a global provider of security technology and services focused on identifying advanced threats and targeted attacks.

Datto

Datto

Datto delivers a single toolbox of easy to use products and services designed specifically for managed service providers and the businesses they serve.

CSIRT Malta

CSIRT Malta

CSIRT Malta supports critical infrastructure organisations in Malta on how to protect their information infrastructure assets and systems from cyber threats and incidents.

Acutec

Acutec

Acutec is an award winning IT support, services and solutions provider including managed IT Security and backup/disaster recovery.

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC) is a government body providing support for ICT related activities including formulating national ICT strategy and policy.

Aporeto

Aporeto

The Aporeto platform protects cloud applications from attack by authenticating and authorizing all communications with a cryptographically signed identity assigned to every workload.

International Cybersecurity Institute (ICSI)

International Cybersecurity Institute (ICSI)

ICSI is a UK company offering specialized and accredited professional qualifications in cybersecurity for young IT graduates as well as mature professionals.

CyCraft Technology Corp

CyCraft Technology Corp

CyCraft is an AI company that forges the future of cybersecurity resilience through autonomous systems and human-AI collaboration.

International Association of Security Awareness Professionals (IASAP)

International Association of Security Awareness Professionals (IASAP)

IASAP provides a members-only virtual sharing platform where security awareness professionals engage in a lively, year-round exchange of information and ideas.

CWSI

CWSI

CWSI provide a full suite of enterprise mobility, security and productivity solutions to many of Ireland and the UK’s most respected organisations across a wide range of industry and public sectors.

Raman Power Technologies

Raman Power Technologies

Raman Power Technologies focus on bringing value and solving business challenges through the delivery of modern IT services and solutions including cybersecurity.

ECS Ethiopia

ECS Ethiopia

ECS Ethiopia provides Ethiopia’s leading institutions with top cyber-security expertise and technology to enable them to overcome risks and market barriers enabling them to grow their business.

Association of Azerbaijani Cyber Security Organizations (AKTA)

Association of Azerbaijani Cyber Security Organizations (AKTA)

The Association of Azerbaijani Cyber Security Organizations (AKTA) is a non-commercial organization aimed at strengthening the country's cybersecurity system.

Sonar

Sonar

AI generated or written by humans, Sonar’s Clean Code Solutions cover your code quality needs, improving code reliability, maintainability, and security.

Atlas Systems

Atlas Systems

Atlas Systems helps companies large and small accelerate their digital transformation journeys – expanding their capabilities and delivering tailored solutions including cybersecurity.

SecureDApp

SecureDApp

SecureDApp is a blockchain security company that specialises in offering comprehensive security solutions to companies operating in the web3 space.