Russian group using Witchcoven supercookies to profile government workers

State sponsored group using supercookies to profile government rivals

Over 100 websites have been compromised in a suspected Russian-led campaign designed to scoop up the web browsing data of government workers, a FireEye report has revealed.

The report, titled Pinpointing Targets: Exploiting Web Analytics to Ensnare Victims, uncovered evidence that a nation state actor is using so-called “supercookies” to install persistent tracking software on victims’ computers with the aim of collecting browsing activity and identifying weak software.

“Witchcoven executes in the background without the user’s knowledge, capturing the visitor’s computer and browser configuration and placing a highly persistent tracking cookie on their computer,” the FireEye report explains.

The malicious script, dubbed Witchcoven, infects legitimate websites to redirect victims to a third party website without any visible prompts and silently installs the snooping code.

Internet cookies are traditionally used by websites for targeted marketing purposes as they identify browsing history and purchasing patterns.

Jens Monrad, consulting systems engineer at FireEye, told V3 that Witchcoven was discovered after the research team analysed a batch of web analytics code and found suspicious activity.

“[Witchcoven] was appearing to be a Google Analytics code when in fact it was a JavaScript that was re-directing visitors to a third-party website that would then use supercookies to ensure they were able to track whoever was visiting these websites,” he explained.

A vast variety of websites were affected across numerous sectors including energy, education and finance, however most had involvement with government activity.

“Over 50 percent of the websites were either direct or indirectly having a relationship with a global government,” Monrad said. “Over half were affiliated with embassies or ministries of foreign affairs and some were also providing VISA services.”

Yet despite this focus on users engaged in government-related activities, Monrad said that the FireEye team had not detected any malicious payloads being used to attack the users infected, saying that the main purpose behind the infections appears to be reconnaissance.

However, the team speculates the tool will eventually be used to construct tailored malware against unwitting victims.

“The attacker would be able to extract what sort of operating system, what browser, and what Flash version the victim was running. Then, of course, you can also speculate that in the event of a targeted attack the attacker will now know what to exploit,” Monrad told V3.

Furthermore, evidence suggests that the campaign is being orchestrated with the involvement of the Russian government.

“We believe it’s a nation state based on the websites that were compromised and based on the fact a number of the compromised websites the attackers were snooping on were located in Georgia and Ukraine,” Monrad said.

“We saw global compromise across the world and it would have to be a fairly large nation.”

The report notes that the attackers appear to be focusing on US and European internet users.

“We believe that the compromised websites indicate the threat actors are especially interested in collecting data from executives, diplomats, government officials, and military personnel, particularly those in the US and Europe,” the report states.

“The compromised websites would attract visitors involved in international travel, diplomacy, energy production and policy, and international economics, as well as those serving in foreign governments – all individuals that would likely have information pertinent to a state’s strategic interests.”

Meanwhile, the FireEye security researchers predict that stolen browsing information will be used to conduct further exploitation, spear phishing scams and could even be used to create a massive database of targets.

In July, Russian hackers were found to be using a form of malware called Hammertoss that, in similar fashion to Witchcoven, used legitimate internet platforms for malicious purposes.

Hammertoss malware, used by a group called APT29, exploited platforms including Twitter, GitHub and cloud-based storage systems to extract data from compromised networks.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

23 November 2015 | 3:51 pm – Source:


Leave a Reply

Your email address will not be published.