State-sponsored Cyberspies

 

FireEye have discovered an attack campaign that injects computer profiling & tracking scripts into over 100 security- sensitive Russian  websites.

Web analytics and tracking cookies play a vital role in online advertising, but they can also help attackers discover potential targets and their weaknesses, a new report shows.

Security researchers from FireEye have discovered an attack campaign that has injected computer profiling and tracking scripts into over 100 websites visited by business executives, diplomats, government officials and academic researchers.

The researchers believe the compromised websites attract visitors involved in international business travel, diplomacy, energy production and policy, international economics and official government work. They include sites belonging to embassies, educational and research institutions, governments, visa services, energy companies, media organizations and non-profit organizations.

While no exploits or malicious code have been served through the injected scripts, the goal of the attackers appears to be the identification of unique users who can be targeted with attacks tailored for their specific computer and software configurations. FireEye has named the reconnaissance campaign WITCHCOVEN and believe that it's the work of state-sponsored attackers.

When users visit one of the compromised websites, their browsers get silently redirected to one of several WITCHCOVEN profiling servers. Scripts hosted on those servers collect information like the user's IP address, their browser type and version, the language setting, the referring website, the version of Microsoft Office and browser plug-ins like Java, Flash Player, etc.

In addition, they also install so-called supercookies or evercookies inside users' browsers. These cookies are hard to delete and are used to track users across multiple websites.
"We believe that the computer profiling data gathered by the WITCHCOVEN script, combined with the evercookie that persistently identifies a unique user, can, when combined with basic browser data available from HTTP logs, be used by cyber threat actors to identify users of interest, and narrowly target those individuals with exploits specifically tailored to vulnerabilities in their computer system," the FireEye researchers said in their report.

The company has not detected any follow-up exploitation attempts against its customers so far, but this could be because the attackers use a highly targeted approach to victim selection.
The subsequent exploits could be embedded in malicious documents attached to email spear phishing messages and not necessarily be served through a browser. The gathered information could also be used to assist in traditional spying operations.

Some of the compromised websites suggest that the attackers may have a particular interest in individuals associated with a major Russian energy company, Russian cultural organizations, Russian embassies, Ukraine's security services and border guards and a media organization in the Republic of Georgia, the FireEye researchers said.

Computerworld

 

« Low-tech Coppers in the UK
Mystery Fingers on Keyboard in JPMorgan Hack »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Chertoff Group

Chertoff Group

The Chertoff Group provide security advice and risk management services covering cyber security, insider threat, physical security and asset protection.

Keyfactor

Keyfactor

Keyfactor is a leader in cloud-first PKI as-a-Service and crypto-agility solutions. Our Crypto-Agility Platform seamlessly orchestrates every key and certificate across the enterprise.

Secusmart

Secusmart

Secusmart provide highly secure and encrypted speech and data communication solutions.

Secude

Secude

SECUDE is an established global security solutions provider offering innovative data protection for SAP users.

CyberGuru

CyberGuru

CyberGuru is a service provided by CyberSecurity Malaysia specializing in cyber security professional training and development.

Bitfury Group

Bitfury Group

Bitfury Group is the largest full-service blockchain technology company in the world.

Estio Training

Estio Training

Estio Training is a specialist digital and IT apprenticeships provider, dedicated to introducing new skills and developing existing talent in businesses across the UK.

Cloud & Cyber Security Expo

Cloud & Cyber Security Expo

Cloud & Cyber Security Expo is the UK’s largest cloud and cyber security event.

Neosecure

Neosecure

NeoSecure is a specialist Cybersecurity Solutions and Managed Services provider in Latin America.

Infosec Cloud

Infosec Cloud

Infosec Cloud is a specialist Cyber Security company offering fully managed Training & Testing Services in addition to market leading Cyber Security technology and accredited professional services.

BaXian Group

BaXian Group

BaXian AG is an international consulting company specializing in IT security, data analytics, risk management and compliance.

Kiteworks

Kiteworks

Kiteworks (formerly Accellion) creates a dedicated Private Content Network that ensures zero-trust private content protection and compliance.

Threat Con

Threat Con

Threat Con is a one of its kind event in Nepal, a series of annual international security conventions similar to the famous Black Hat and DEF CON conferences.

Box

Box

Box is the Cloud Content Management company that empowers enterprises to revolutionize how they work by securely connecting their people, information and applications.

Effectiv

Effectiv

Effectiv is a real-time fraud & risk management platform for Financial Institutions and Fintechs.

Cork

Cork

Cork is a purpose-built cyber warranty company for managed service providers (MSPs) serving small businesses (SMBs) and the software solutions they manage.