Washington - Malicious software likely linked to China was used to infect visitors to a wide range of official Afghan government websites, US cyber security researchers say.
ThreatConnect, a Virginia-based cyber security firm, said its researchers last week found a corrupted JavaScript file that was used to host content on "gov.af" websites, and there are no known antivirus protections available for the malware.
Rich Barger, chief intelligence officer of ThreatConnect, said his company was confident the new campaign, "Operation Poisoned Helmand", was linked to the "Poisoned Hurricane" campaign detected this year by another security firm, FireEye, that linked it to Chinese intelligence.
He said the latest attack was very recent and one timestamp associated with the Java file was from 16 December, the same day Chinese Prime Minister Li Keqiang met with Afghanistan's chief executive officer, Abdullah Abdullah in Kazakhstan.
China is seeking to take a more active role in Afghanistan as the US and Nato reduce their military presence.
"We found continued activity from Chinese specific actors that have used the Afghan government infrastructure as an attack platform," Barger said, adding that Chinese intelligence could use the malware to gain access to computer users who had checked the Afghan government sites for information.
Greek attack
Barger said the attack was a variant of what he called a typical "watering-hole" attack in which the attackers infect a large number of victims, and then follow up with the most "promising" hits to extract data.
He said researchers in 2014 saw a malicious Java file on the website of the Greek embassy in Beijing while a high-level delegation led by Keqiang was visiting Greek Prime Minister Antonis Samaras in Athens.
The two events were not directly related, Barger said, and additional research was needed into the status of ministerial and official government websites on or around the dates of notable Chinese delegations and or bilateral meetings.
In this case, the malware was created on 13 December, just days before the high-level meeting, Barger said.
The malware was found on numerous Afghan government websites, including the ministries of justice, foreign affairs, education, commerce and industry, finance and women's affairs, and the Afghan embassy in Canberra, Australia, according to ThreatConnect, which was formerly known as Cyber Squared.
By late on Sunday, Barger said it appeared that the malicious Java file had either been inactivated by the attackers or "cleaned up" by the Afghan government.