Croatian Government Targeted By Mystery Hackers

Uploaded on 2019-07-16 in TECHNOLOGY--Hackers, GOVERNMENT-National, FREE TO VIEW

A mysterious hacker group has targeted, and most likely infected, Croatian government employees between February and April this year. Attackers, which are suspected to be a state-sponsored unit, have targeted victims using a spear-phishing campaign that mimicked delivery notifications from the Croatian postal or other retail services.

Emails contained a link to a remote website with a lookalike URL, where users were asked to download an Excel document.
The document was laced with malicious code packed as a macro script which appeared to have been largely copied off the internet, from various tutorials or open source projects hosted on StackOverflow.com, Dummies.com, Issuu.com, Rastamouse.me, or GitHub.com.

The macro script, if enabled by the victim, would download and install malware on their systems. Two different sets of malware payloads were detected during these attacks.

  • The first was the Empire backdoor, a component of the Empire post-exploitation framework, a penetration testing utility. 
  • The second was SilentTrinity, another post-exploitation tool, similar to the first.

In a presentation at the Positive Hack Days (PHDays) security conference in May, Alexey Vishnyakov, a Senior Specialist in Threat Analysis for cyber-security firm Positive Technologies, said this was the first time when a malicious threat actor had weaponised the SilentTrinity tool in an active malware distribution campaign.

While they went under the radar for two months, the phishing attacks were eventually detected in early April. The Information Systems Security Bureau (ZSIS), the central state authority responsible for the cyber-security of the Republic of Croatia state bodies, issued two separate alerts about the attacks.

The state cyber-security agency shared indicators of compromise, such as file names, registry keys, URLs, and IP addresses for the attackers' command and control (C&C) servers, asking state agencies to check logs and scan computers for potential infections.

"The Croatian Post has already taken steps to remove the malicious web sites and servers, but both malware versions are currently active," the agency said. "With this malware, attackers can take control over a computer and execute arbitrary commands under the authority of the user who opened the XLS file and enabled to execute the macro commands."

In a report published on the 5th July 2019, Vishnyakov pointed out certain connections between the C&C servers used in this campaign targeting Croatian government agencies and past malware distribution operations.

The most important is a FireEye report about hackers using a WinRAR vulnerability to infect government targets in Ukraine with the same Empire backdoor, and using the same C&C server. While FireEye never attributed those attacks to a specific hacker group, the targeting of the Ukrainian government is specific to Russian threat actors, who have been targeting the country's officials and government agencies since 2014, when Russian troops invaded the Crimean-peninsula.

While Vishnyakov refrained from attributing these attacks to a specific threat actor, the researcher did note that "the available data on hosts, addresses, and domains used-as well as the high number of connections between them-suggests a large-scale malicious effort."

ZDNet:

You Migt Also Read: 

Cyberwar Vs. Traditional Conflict:

 

 

 

 

« Vietnam’s Top Hacking Group Uses Sloppy Code
AI Solves Beatles Songwriting Dispute »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Bulb Security

Bulb Security

Whether your internal red team or penetration testing team needs training, or you lack internal resources and need an outsourced penetration test, Bulb Security can help.

QTS

QTS

QTS Realty Trust, Inc. is a leading provider of secure, compliant data center, hybrid cloud and managed services.

SiteLock

SiteLock

SiteLock is a global leader in website security solutions. We provide affordable, cybersecurity software solutions designed to allow small to midsize businesses to operate without fear of an attack.

MailXaminer

MailXaminer

MailXaminer is an advance and powerful email investigation platform that scans digital data, performs analysis, reports on findings and preserves them in a court validated format.

Crosscheck Networks

Crosscheck Networks

Crosscheck products allow you to test your APIs across different protocols and message formats with functional automation, performance, and security testing capabilities.

Fedco International

Fedco International

Fedco International is an IT and SCADA ICS Security consultancy firm.

The ai Corporation

The ai Corporation

The ai Enterprise Fraud Solution is an on-prem or cloud-based self-service, machine learning fraud detection and prevention tool set.

Trustless Computing Association (TCA)

Trustless Computing Association (TCA)

TCA is is a non-profit organization promoting the creation and wide availability of IT and AI technologies that are radically more secure and accountable than today’s state of the art.

AlertSec

AlertSec

AlertSec Ensure is a U.S. patented technology that allows you to educate, verify and enforce encryption compliance of third-party devices.

NuID

NuID

NuID is a pioneer in trustless authentication and decentralized digital identity.

Xscale Accelerator

Xscale Accelerator

Xscale's vision is to create world-class startups out of India by transforming sales and providing access to global markets.

Analygence

Analygence

ANALYGENCE is your trusted partner for mission support, cyber solutions, and management services.

Threat Con

Threat Con

Threat Con is a one of its kind event in Nepal, a series of annual international security conventions similar to the famous Black Hat and DEF CON conferences.

The Hacking Games

The Hacking Games

The Hacking Games' Mission is to inspire, educate and mobilise a generation of ethical hackers to make the world a safer place.

Vorlon

Vorlon

Vorlon's agentless patent-pending solution facilitates risk profiling of apps, and provides AI-driven behavioral analytics with response recommendations.

Chorus

Chorus

Chorus are a leading Managed Security Service Provider (MSSP), and member of the Microsoft Intelligent Security Association (MISA), with three Microsoft Advanced Specialisations in security.