Share

Malware targets visitors to Afghan gov websites

Washington - Malicious software likely linked to China was used to infect visitors to a wide range of official Afghan government websites, US cyber security researchers say.

ThreatConnect, a Virginia-based cyber security firm, said its researchers last week found a corrupted JavaScript file that was used to host content on "gov.af" websites, and there are no known antivirus protections available for the malware.

Rich Barger, chief intelligence officer of ThreatConnect, said his company was confident the new campaign, "Operation Poisoned Helmand", was linked to the "Poisoned Hurricane" campaign detected this year by another security firm, FireEye, that linked it to Chinese intelligence.

He said the latest attack was very recent and one timestamp associated with the Java file was from 16 December, the same day Chinese Prime Minister Li Keqiang met with Afghanistan's chief executive officer, Abdullah Abdullah in Kazakhstan.

China is seeking to take a more active role in Afghanistan as the US and Nato reduce their military presence.

"We found continued activity from Chinese specific actors that have used the Afghan government infrastructure as an attack platform," Barger said, adding that Chinese intelligence could use the malware to gain access to computer users who had checked the Afghan government sites for information.

Greek attack

Barger said the attack was a variant of what he called a typical "watering-hole" attack in which the attackers infect a large number of victims, and then follow up with the most "promising" hits to extract data.

He said researchers in 2014 saw a malicious Java file on the website of the Greek embassy in Beijing while a high-level delegation led by Keqiang was visiting Greek Prime Minister Antonis Samaras in Athens.

The two events were not directly related, Barger said, and additional research was needed into the status of ministerial and official government websites on or around the dates of notable Chinese delegations and or bilateral meetings.

In this case, the malware was created on 13 December, just days before the high-level meeting, Barger said.

The malware was found on numerous Afghan government websites, including the ministries of justice, foreign affairs, education, commerce and industry, finance and women's affairs, and the Afghan embassy in Canberra, Australia, according to ThreatConnect, which was formerly known as Cyber Squared.

By late on Sunday, Barger said it appeared that the malicious Java file had either been inactivated by the attackers or "cleaned up" by the Afghan government.

We live in a world where facts and fiction get blurred
Who we choose to trust can have a profound impact on our lives. Join thousands of devoted South Africans who look to News24 to bring them news they can trust every day. As we celebrate 25 years, become a News24 subscriber as we strive to keep you informed, inspired and empowered.
Join News24 today
heading
description
username
Show Comments ()
Rand - Dollar
19.00
-0.3%
Rand - Pound
24.08
+0.1%
Rand - Euro
20.59
-0.0%
Rand - Aus dollar
12.36
+0.5%
Rand - Yen
0.13
+0.7%
Platinum
902.95
+0.1%
Palladium
998.75
-0.7%
Gold
2,152.67
-0.4%
Silver
24.90
-0.6%
Brent Crude
86.89
+1.8%
Top 40
65,873
-0.6%
All Share
72,094
-0.5%
Resource 10
53,208
-0.2%
Industrial 25
99,450
-1.0%
Financial 15
16,627
+0.0%
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.

LEARN MORE
Government tenders

Find public sector tender opportunities in South Africa here.

Government tenders
This portal provides access to information on all tenders made by all public sector organisations in all spheres of government.
Browse tenders