Croatian Government Targeted By Mystery Hackers

Uploaded on 2019-07-16 in TECHNOLOGY--Hackers, GOVERNMENT-National, FREE TO VIEW

A mysterious hacker group has targeted, and most likely infected, Croatian government employees between February and April this year. Attackers, which are suspected to be a state-sponsored unit, have targeted victims using a spear-phishing campaign that mimicked delivery notifications from the Croatian postal or other retail services.

Emails contained a link to a remote website with a lookalike URL, where users were asked to download an Excel document.
The document was laced with malicious code packed as a macro script which appeared to have been largely copied off the internet, from various tutorials or open source projects hosted on StackOverflow.com, Dummies.com, Issuu.com, Rastamouse.me, or GitHub.com.

The macro script, if enabled by the victim, would download and install malware on their systems. Two different sets of malware payloads were detected during these attacks.

  • The first was the Empire backdoor, a component of the Empire post-exploitation framework, a penetration testing utility. 
  • The second was SilentTrinity, another post-exploitation tool, similar to the first.

In a presentation at the Positive Hack Days (PHDays) security conference in May, Alexey Vishnyakov, a Senior Specialist in Threat Analysis for cyber-security firm Positive Technologies, said this was the first time when a malicious threat actor had weaponised the SilentTrinity tool in an active malware distribution campaign.

While they went under the radar for two months, the phishing attacks were eventually detected in early April. The Information Systems Security Bureau (ZSIS), the central state authority responsible for the cyber-security of the Republic of Croatia state bodies, issued two separate alerts about the attacks.

The state cyber-security agency shared indicators of compromise, such as file names, registry keys, URLs, and IP addresses for the attackers' command and control (C&C) servers, asking state agencies to check logs and scan computers for potential infections.

"The Croatian Post has already taken steps to remove the malicious web sites and servers, but both malware versions are currently active," the agency said. "With this malware, attackers can take control over a computer and execute arbitrary commands under the authority of the user who opened the XLS file and enabled to execute the macro commands."

In a report published on the 5th July 2019, Vishnyakov pointed out certain connections between the C&C servers used in this campaign targeting Croatian government agencies and past malware distribution operations.

The most important is a FireEye report about hackers using a WinRAR vulnerability to infect government targets in Ukraine with the same Empire backdoor, and using the same C&C server. While FireEye never attributed those attacks to a specific hacker group, the targeting of the Ukrainian government is specific to Russian threat actors, who have been targeting the country's officials and government agencies since 2014, when Russian troops invaded the Crimean-peninsula.

While Vishnyakov refrained from attributing these attacks to a specific threat actor, the researcher did note that "the available data on hosts, addresses, and domains used-as well as the high number of connections between them-suggests a large-scale malicious effort."

ZDNet:

You Migt Also Read: 

Cyberwar Vs. Traditional Conflict:

 

 

 

 

« Vietnam’s Top Hacking Group Uses Sloppy Code
AI Solves Beatles Songwriting Dispute »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NATO Cooperative Cyber Defence Centre (CCDCOE)

NATO Cooperative Cyber Defence Centre (CCDCOE)

NATO CCDCOE's mission is to enhance the capability, cooperation and information sharing among NATO, NATO nations and partners in cyber defence.

Gigamon

Gigamon

Gigamon provides intelligent Traffic Visability solutions that provide unmatched visbility into physical & birtual networks without affecting the performance or stability of production environments.

Quality Professionals (Q-Pros)

Quality Professionals (Q-Pros)

QPros are a recognized leader in providing full-cycle software quality assurance and application testing services.

Howden Broking Group

Howden Broking Group

Howden provides a range of specialist insurance solutions to clients around the world including Cyber Liability insurance.

Optimal IdM

Optimal IdM

Optimal IdM is a leading global provider of identity management solutions and services.

Hitachi Systems Security

Hitachi Systems Security

Hitachi Systems Security provides customized services for monitoring and protecting the most critical and sensitive IT assets in our clients’ infrastructures 24/7.

Advanced Systems International SAC

Advanced Systems International SAC

Advanced Systems international is a global company dedicated to data security software design, development, support, and licensing.

Techfusion

Techfusion

Techfusion is a cyber security research and consulting firm focusing on digital forensics and data recovery.

Flatt Security

Flatt Security

Flatt Security is a cyber security startup based in Japan providing security assessments and other cyber security services.

Execweb

Execweb

Execweb are a cybersecurity executive network, comprised of 400+ security practitioners who work at Fortune 500 and SME companies.

PointWire

PointWire

PointWire offers a range of cybersecurity solutions and services including Penetration Testing on various levels, as well as Intrusion Detection and Prevention Systems.

Crygma

Crygma

CRYGMA Quantum-Resistant Cryptographic Machines, the new standard in data encryption.

Frontal

Frontal

Frontal is a specialized unit in Blockchain and Web3.0 cybersecurity. Securing Digital Assets, Cryptocurrency, DeFi, Blockchain and Web3.0 ecosystem.

Vigilant Ops

Vigilant Ops

Vigilant Ops is a leader in Software Bill of Materials (SBOM) Automation. A proactive approach to cybersecurity with continuous vulnerability monitoring.

Judy Security

Judy Security

Judy (formerly AaDya Security) provides smart, simple, effective, all-in-one cybersecurity for SMBs. Get the 24/7 protection and support you deserve, at a price you can afford.

Jersey Cyber Security Centre (JCSC)

Jersey Cyber Security Centre (JCSC)

Jersey Cyber Security Centre is the jurisdiction's Cyber Emergency Response Team (CERT) and national technical authority for cyber security.