State-sponsored Cyberspies

Uploaded on 2015-11-21 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

 

FireEye have discovered an attack campaign that injects computer profiling & tracking scripts into over 100 security- sensitive Russian  websites.

Web analytics and tracking cookies play a vital role in online advertising, but they can also help attackers discover potential targets and their weaknesses, a new report shows.

Security researchers from FireEye have discovered an attack campaign that has injected computer profiling and tracking scripts into over 100 websites visited by business executives, diplomats, government officials and academic researchers.

The researchers believe the compromised websites attract visitors involved in international business travel, diplomacy, energy production and policy, international economics and official government work. They include sites belonging to embassies, educational and research institutions, governments, visa services, energy companies, media organizations and non-profit organizations.

While no exploits or malicious code have been served through the injected scripts, the goal of the attackers appears to be the identification of unique users who can be targeted with attacks tailored for their specific computer and software configurations. FireEye has named the reconnaissance campaign WITCHCOVEN and believe that it's the work of state-sponsored attackers.

When users visit one of the compromised websites, their browsers get silently redirected to one of several WITCHCOVEN profiling servers. Scripts hosted on those servers collect information like the user's IP address, their browser type and version, the language setting, the referring website, the version of Microsoft Office and browser plug-ins like Java, Flash Player, etc.

In addition, they also install so-called supercookies or evercookies inside users' browsers. These cookies are hard to delete and are used to track users across multiple websites.
"We believe that the computer profiling data gathered by the WITCHCOVEN script, combined with the evercookie that persistently identifies a unique user, can, when combined with basic browser data available from HTTP logs, be used by cyber threat actors to identify users of interest, and narrowly target those individuals with exploits specifically tailored to vulnerabilities in their computer system," the FireEye researchers said in their report.

The company has not detected any follow-up exploitation attempts against its customers so far, but this could be because the attackers use a highly targeted approach to victim selection.
The subsequent exploits could be embedded in malicious documents attached to email spear phishing messages and not necessarily be served through a browser. The gathered information could also be used to assist in traditional spying operations.

Some of the compromised websites suggest that the attackers may have a particular interest in individuals associated with a major Russian energy company, Russian cultural organizations, Russian embassies, Ukraine's security services and border guards and a media organization in the Republic of Georgia, the FireEye researchers said.

Computerworld

 

« Low-tech Coppers in the UK
Mystery Fingers on Keyboard in JPMorgan Hack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Imperva

Imperva

Imperva is a leading provider of data and application security solutions including DDoS protection, Web application security, Data security and Cloud security.

CERTuy

CERTuy

CERTuy is the national Computer Emergency Response Team for Uruguay.

Snyk

Snyk

Snyk is the leader in developer security. We empower the world’s developers to build secure applications and equip security teams to meet the demands of the digital world.

Blancco Technology Group

Blancco Technology Group

Blancco Technology Group is a leading global provider of mobile device diagnostics and secure data erasure solutions.

WiJungle

WiJungle

WiJungle is an Indian Cyber Security Company that develops and markets a unified network security gateway solution.

National Initiative for Cybersecurity Education (NICE) - USA

National Initiative for Cybersecurity Education (NICE) - USA

NICE is a partnership between government, academia, and the private sector focused on cybersecurity education, training, and workforce development.

IAR Systems

IAR Systems

IAR Systems are a frontrunner in a changing industry, and a future-proof software supplier enabling the IoT.

Vanbreda

Vanbreda

Vanbreda Risk & Benefits is the largest independent insurance broker and risk consultant in Belgium and the leading insurance partner in the Benelux.

Huntress Labs

Huntress Labs

Huntress provides managed threat detection and response services to uncover and address malicious footholds that slip past your preventive defenses.

AngelList

AngelList

AngelList champion startups and the people who empower them. Search tech & startup jobs, find new tech products, and invest in startups.

Keyless Technologies

Keyless Technologies

Simple, secure, and interoperable authentication. Keyless offers unmatched security, privacy and usability, while reducing risk and infrastructure costs.

CodeLock

CodeLock

Codelock is a patent-pending solution that continuously provides software security at the code level, while providing advanced management insights with performance metrics and data analytics.

Oasis Technology

Oasis Technology

Oasis Technology are experts in cyber security. In addition to pioneering the game-changing TITAN anti-hacking device, we provide extensive cyber security consulting services.

Kodem Security

Kodem Security

Our mission is to make AppSec simple. Meet the world’s first dynamic software composition analysis platform. Only Kodem uses runtime intelligence to determine application risk.

SecurWeave

SecurWeave

SecurWeave's Configurable Hardware Enforced Safety and Security (CHESS) platform has been designed to meet the security and safety criticality needs of the evolving digital industry.

EVVO LABS

EVVO LABS

EVVO Labs empower your business with the latest IT capabilities to get you ahead of your competitors. We are experts at converging technologies to build your digital transformation.