Pierluigi Paganini December 26, 2014

Chinese hackers brought down all major Afghanistan Government websites by hacking an official CDN network used in the country.

The experts of the ThreatConnect Intelligence Research Team (TCIRT) recently reported the operation, dubbed Operation Helmand, run by a group of Chinese hackers that attacked the entire Afghan government web network. The hackers allegedly used a targeted cross-site scripting (XSS) “drive-by” attack on the principal Content Delivery Network (CDN) used in Afghanistan.

The CDN platforms are an essential component for publishing on the web, they allow to  dynamically deliver web content to public and private entities. Compromising a CDN it is possible to reach a wide audience, for this reason they represent a privileged target for threat actors.

An attacker can exploit a CDN platform for example to serve malicious content and compromise visitor’ systems.

In the specific case, the attackers run a targeted cross-site scripting (XSS) “drive-by” attack that leveraged a single CDN to spread a malicious Java applet through the major Afghanistan websites.

The hacking campaign reportedly hit the network run by Afghan Ministry of Communications and IT (MCIT), the attackers used a JavaScript to compromised the CDN available at the following URL: [http:]//cdn.afghanistan[.]af/scripts/gop-script.js

“The domain cdn.afghanistan[.]af is a legitimate CDN site used by the Afghan Ministry of Communications and IT (MCIT) to host web content that is displayed and used on many official gov.af websites.” reportes a blog post published by the ThreatConnect.com.

The hackers have brought down the websites of the main Afghan government agencies, including Education, Finance, Foreign Affairs, Justice and Women’s Affairs, and foreign websites that receive contents from the same CDN like the Australian embassy. Below the list of affected websites:

• [http:]//canberra.afghanistan[.]af/en (Afghan Embassy in Canberra, Australia)
• [http:]//herat.gov[.]af/fa (Herat Province Regional Government)
• [http:]//mfa.gov[.]af/en (Ministry of Foreign Affairs)
• [http:]//moci.gov[.]af/en (Ministry of Commerce and Industries)
• [http:]//moe.gov[.]af/en (Ministry of Education)
• [http:]//mof.gov[.]af/en (Ministry of Finance)
• [http:]//moj.gov[.]af/fa (Ministry of Justice)
• [http:]//mowa.gov[.]af/fa (Ministry of Women’s Affairs)
• [http:]//oaacoms.gov[.]af/fa (Office of Administrative Affairs and Council of Ministers)

The experts speculate that the Chinese Intelligence adopted a watering hole technique because it is looking with great interest to the Afghanistan after the US and NATO have reduced their troops in the country.

“As the US and NATO reduce their troop levels in Afghanistan, China is posturing to fill the gap of influence that the west is leaving behind. With plans to facilitate multilateral peace talks with the Taliban and establish major transportation projects which aim to bolster the Afghan economy, Beijing has been eyeing Afghanistan as part of its broader South Asian strategy.” continues the post.

The researchers collected evidences that the watering hole attacks coincided with a meeting on infrastructure development and bilateral cooperation in Kazakhstan between China’s Prime Minister Li Keqiang and Afghanistan’s government chief executive officer Abdullah Abdullah.

The researchers, analyzing the EXIF metadata of the image of Keqiang meeting, discovered that the image used to serve the malware was modified a few hours after it appeared to be taken at the meeting.

The Operation Helmand is quite similar to other attacks observed in South East Asia, the experts noticed also many similarities with another watering hole attack uncovered this summer, when a malicious Java file was served on the website of the Greece embassy in Beijing during a diplomatic meeting to Athens.

Pierluigi Paganini

(Security Affairs –  Operation Helmand, CDN, Afghanistan)