All the latest UK technology news, reviews and analysis

State-sponsored hackers using watering hole attacks to ensnare businesses

17 Jul 2013
Security padlock image

State-sponsored hackers are using watering hole attacks to hijack trusted websites and transform them into Frankenstein malware distribution tools.

The issue was uncovered by security firm Context and its chief executive Mark Raeburn said there had been a marked increase in the number of attacks targeting businesses, confirming hackers have hit websites belonging to big name firms, such as Information Handling Services (IHS).

"In this case the predatory tiger was a state-sponsored attacker and the prey was the target companies visiting the site," he said. "Our Response Team picked up traffic beaconing activity from a remote access Trojan (RAT) known as PlugX, which gives an attacker control over a compromised host and is suspected of being attributable to one of the more aggressive and active Chinese state-sponsored groups."

Context senior consultant Nick Mazitelli told V3 the news is particularly troubling as many of the companies have military and government contracts or are involved in areas of critical infrastructure. Mazitelli said the sophistication of the attack combined with the atypical user of watering hole, as opposed to basic phishing, is also problematic.

“The key difference with the watering hole method of attack is the breadth of organisations potentially affected by it. Using a popular website in this manner means that a large number of organisations can be attacked and compromised in a short amount of time. However, for individual organisations that may have been compromised by the attack the outcome remains the same: a determined, aggressive and capable attacker on their network and the potential loss of sensitive or confidential information,” he said.
“Once the compromise progresses beyond this initial attack, i.e. once the attacker has developed a foothold through the watering hole, the compromise will progress in much the same way as it would following the use of attack methods that have been more prevalent historically, for example phishing emails. So the potential damage remains at the same high level, with a capable attacker expanding their control of the compromised network and harvesting sensitive information.”
Context reported the change in tactic also indicates the new campaign is state sponsored. The firm highlighted a group known as both “FlowerLady” and “FlowerShow” as the most likely suspect. The group is believed to be of Chinese origin and has a track record of mounting opportunistic attacks on Western companies with economic, technological or military significance.

Raeburn said many of the infected sites have already been wiped clean and is unclear how many web users have fallen victim to the scam. He said added that the threat can easily be mitigated if companies implement up-to-date security practices and protection tools.

"Phishing campaigns are often seen as the primary, or only, avenue of compromise when it comes to targeted attacks, but companies need to be more aware of the threat from alternative vectors such as watering hole attacks and take measures to identify malicious activity and mitigate the risks, regardless of the source," said Raeburn.

"Better awareness and activity monitoring, including information from across the network and down to the level of individual PCs, is vital and should be combined with a robust programme of proactive security improvement."

The attack is one of many believed to be state sponsored detected this year. The South Korean government recently reported uncovering evidence linking North Korea to a wave of attacks on its networks.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Trainee 1st Line IT Support Engineer/Technician

Learning4You is looking for a Trainee 1st Line IT Support...

Junior IT Consultant

Caiman Information Technology Services Ltd is seeking...

Senior .NET Software Developer

Would you like to work in a vibrant environment where...

Senior IT Technical Engineer 2nd / 3rd Line Support - VMware View

Senior IT Technical Engineer 2nd / 3rd Line Support...
To send to more than one email address, simply separate each address with a comma.