All the latest UK technology news, reviews and analysis


State-sponsored hackers using watering hole attacks to ensnare businesses

17 Jul 2013
Security padlock image

State-sponsored hackers are using watering hole attacks to hijack trusted websites and transform them into Frankenstein malware distribution tools.

The issue was uncovered by security firm Context and its chief executive Mark Raeburn said there had been a marked increase in the number of attacks targeting businesses, confirming hackers have hit websites belonging to big name firms, such as Information Handling Services (IHS).

"In this case the predatory tiger was a state-sponsored attacker and the prey was the target companies visiting the site," he said. "Our Response Team picked up traffic beaconing activity from a remote access Trojan (RAT) known as PlugX, which gives an attacker control over a compromised host and is suspected of being attributable to one of the more aggressive and active Chinese state-sponsored groups."

Context senior consultant Nick Mazitelli told V3 the news is particularly troubling as many of the companies have military and government contracts or are involved in areas of critical infrastructure. Mazitelli said the sophistication of the attack combined with the atypical user of watering hole, as opposed to basic phishing, is also problematic.

“The key difference with the watering hole method of attack is the breadth of organisations potentially affected by it. Using a popular website in this manner means that a large number of organisations can be attacked and compromised in a short amount of time. However, for individual organisations that may have been compromised by the attack the outcome remains the same: a determined, aggressive and capable attacker on their network and the potential loss of sensitive or confidential information,” he said.
 
“Once the compromise progresses beyond this initial attack, i.e. once the attacker has developed a foothold through the watering hole, the compromise will progress in much the same way as it would following the use of attack methods that have been more prevalent historically, for example phishing emails. So the potential damage remains at the same high level, with a capable attacker expanding their control of the compromised network and harvesting sensitive information.”
 
Context reported the change in tactic also indicates the new campaign is state sponsored. The firm highlighted a group known as both “FlowerLady” and “FlowerShow” as the most likely suspect. The group is believed to be of Chinese origin and has a track record of mounting opportunistic attacks on Western companies with economic, technological or military significance.

Raeburn said many of the infected sites have already been wiped clean and is unclear how many web users have fallen victim to the scam. He said added that the threat can easily be mitigated if companies implement up-to-date security practices and protection tools.

"Phishing campaigns are often seen as the primary, or only, avenue of compromise when it comes to targeted attacks, but companies need to be more aware of the threat from alternative vectors such as watering hole attacks and take measures to identify malicious activity and mitigate the risks, regardless of the source," said Raeburn.

"Better awareness and activity monitoring, including information from across the network and down to the level of individual PCs, is vital and should be combined with a robust programme of proactive security improvement."

The attack is one of many believed to be state sponsored detected this year. The South Korean government recently reported uncovering evidence linking North Korea to a wave of attacks on its networks.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
12%
5%
10%
4%
20%
3%
46%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Account Manager - Partners - Birmingham / UK travel

Account Manager - Partners - Birmingham / UK travel...

Technical Support Technician II

Title: Technical Support Technician II Employment Type...

Technical Support Technician I

Title: Technical Support Technician I Department: Client...

Administrator - Projects & Training

Administrator - Projects & Training Location...
To send to more than one email address, simply separate each address with a comma.