An unknown attacker recently compromised the Washington DC-based embassy websites of Iraq, Jordan, Russia and Zambia.
An unknown attacker recently compromised the Washington DC-based embassy websites of Iraq, Jordan, Russia and Zambia.

An unknown actor whose targets and tactics resemble those of a Russian advanced persistent threat group has been compromising the websites of foreign embassies, ministries and organizations, in an attempt to infect certain site visitors with malware.

According to a Tuesday blog post by Forcepoint, whose threat intelligence feeds uncovered the threat, the mysterious campaign is reminiscent of the Turla group, a Russian APT that notably infected U.S. Central Command in 2008. However, Forcepoint cannot confirm that the threat group, also known as Snake, Uroburos, Venomous Bear and Krypton, is actually the culprit in this case.

The adversaries compromised targeted websites by injecting them with malicious code designed to perform reconnaissance on site visitors and determine whether or not to infect them with a malicious payload. Forcepoint has been unable to determine the exact nature of this malware, although Kaspersky Lab noted in a Securelist blog post last week that Turla is known as "an agile, very dynamic and innovative APT, leveraging many different families of malware, satellite-based command and control servers and malware for non-Windows OSes."

The four embassies known to have been compromised by this campaign all operate in Washington DC, and belong to the countries of Iraq, Jordan, Russia and Zambia. The foreign ministries known to have been targeted are based in Kyrgyzstan, Moldova and Uzbekistan.

"One could speculate many possible intentions, but it does seem as though the attacker may be identifying weaknesses in the security of the websites targeted or seeking to understand users of those embassy sites," said Carl Leonard, principal security analyst at Forcepoint Security Labs, in an email interview with SC Media. Leonard noted that typical website visitors would likely include "government officials working in those embassies, or those looking to do business in those countries."

Three Austrian bodies – a political party, a government-run sustainability group and a sports association – also had their websites compromised during this campaign. Websites operated by a Somalian news outlet, a Spain-based socialist organization, a French international cooperation organization, an African union, an African plant society and a Ukrainian road safety organization were affected as well. Forcepoint alerted the admins responsible for all of the above sites.

Kaspersky noted in its blog post that Turla has a history of targeting Ukraine, EU-related institutions, governments of EU countries, global Ministries of Foreign Affairs and media companies.

The adversaries attempted to disguise their code injections by hiding it amongst additional code belonging the web analytics service Clicky, reported Forcepoint, noting that Turla employs the same technique using Google Analytics scripts. The code is designed to profile site visitors via through fingerprinting and an IP target list to determine whether or not to redirect them to a landing site where the malicious payload is downloaded.

"We did not manage to replicate the payload in the timeframe in which we performed the analysis, thus allowing us to deduce [that] there is a very specific algorithm deciding whether to deliver the payload or not," said Leonard. 

The actors behind the campaign have used such malicious domains as nbcpost[.]com, epsoncorp[.]com, mentalhealthcheck[.]net, and travelclothes[.]org, and even updated their domains as recently as this week. (The first domain linked to the campaign was registered in December 2015.)

Kaspersky Lab reported via Securelist that Turla actors "have increased their activity significantly" in recent months, noting the recent discovery of a malicious JavaScript-based backdoor malware called KopiLuwak that is designed to avoid detection.

"We assess with high confidence this new JavaScript will be used more heavily in the future as a stage-one delivery mechanism and victim profiler," the Securelist blog post warns.