All the latest UK technology news, reviews and analysis


State-sponsored hackers using watering hole attacks to ensnare businesses

17 Jul 2013
Security padlock image

State-sponsored hackers are using watering hole attacks to hijack trusted websites and transform them into Frankenstein malware distribution tools.

The issue was uncovered by security firm Context and its chief executive Mark Raeburn said there had been a marked increase in the number of attacks targeting businesses, confirming hackers have hit websites belonging to big name firms, such as Information Handling Services (IHS).

"In this case the predatory tiger was a state-sponsored attacker and the prey was the target companies visiting the site," he said. "Our Response Team picked up traffic beaconing activity from a remote access Trojan (RAT) known as PlugX, which gives an attacker control over a compromised host and is suspected of being attributable to one of the more aggressive and active Chinese state-sponsored groups."

Context senior consultant Nick Mazitelli told V3 the news is particularly troubling as many of the companies have military and government contracts or are involved in areas of critical infrastructure. Mazitelli said the sophistication of the attack combined with the atypical user of watering hole, as opposed to basic phishing, is also problematic.

“The key difference with the watering hole method of attack is the breadth of organisations potentially affected by it. Using a popular website in this manner means that a large number of organisations can be attacked and compromised in a short amount of time. However, for individual organisations that may have been compromised by the attack the outcome remains the same: a determined, aggressive and capable attacker on their network and the potential loss of sensitive or confidential information,” he said.
 
“Once the compromise progresses beyond this initial attack, i.e. once the attacker has developed a foothold through the watering hole, the compromise will progress in much the same way as it would following the use of attack methods that have been more prevalent historically, for example phishing emails. So the potential damage remains at the same high level, with a capable attacker expanding their control of the compromised network and harvesting sensitive information.”
 
Context reported the change in tactic also indicates the new campaign is state sponsored. The firm highlighted a group known as both “FlowerLady” and “FlowerShow” as the most likely suspect. The group is believed to be of Chinese origin and has a track record of mounting opportunistic attacks on Western companies with economic, technological or military significance.

Raeburn said many of the infected sites have already been wiped clean and is unclear how many web users have fallen victim to the scam. He said added that the threat can easily be mitigated if companies implement up-to-date security practices and protection tools.

"Phishing campaigns are often seen as the primary, or only, avenue of compromise when it comes to targeted attacks, but companies need to be more aware of the threat from alternative vectors such as watering hole attacks and take measures to identify malicious activity and mitigate the risks, regardless of the source," said Raeburn.

"Better awareness and activity monitoring, including information from across the network and down to the level of individual PCs, is vital and should be combined with a robust programme of proactive security improvement."

The attack is one of many believed to be state sponsored detected this year. The South Korean government recently reported uncovering evidence linking North Korea to a wave of attacks on its networks.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?
20%
13%
5%
21%
29%
12%

Popular Threads

Powered by Disqus
Galaxy S5 vs Xperia Z2 home screen

Xperia Z2 vs Galaxy S5

We break down the strengths and weaknesses of the two Android heavyweights

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv33

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery

rdc2

iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

SAS Insight Analyst / Macro / Base / SQL Server

SAS Insight Analyst / Macro / Base / SQL Server...

Design & Implementation Network Engineer – CCNP / CCIP / MPLS

Cisco Design & Implementation Network Engineer at...

Application Support Analyst (Technical Support, Trading System)

Application Support Analyst (Technical Support, Trading...

IT Business Partner

Are you an excellent communicator capable of working...
To send to more than one email address, simply separate each address with a comma.