Headquartered in Arlington, Virginia, ThreatConnect Inc. said its researchers discovered the corrupted file last week, Reuters reported. The file is being used to host content on “gov.af” sites, and there is currently no antivirus protection that will counteract the malware.
Rich Barger, ThreatConnect’s chief intelligence officer, told Reuters his company is sure the so-called Operation Poisoned Helmand campaign is linked to the so-called Poisoned Hurricane campaign that was found last summer by another cybersecurity firm, FireEye Inc., which attributed it to a Chinese intelligence service.
Barger said the latest attack may have happened as recently as Dec. 16, the same day China’s Prime Minister Li Keqiang met with Afghanistan’s CEO Abdullah Abdullah.
China hopes to take a more active role in Afghanistan as the U.S. and NATO wind down their military operations in the country.
“We found continued activity from Chinese specific actors that have used the Afghan government infrastructure as an attack platform,” Barger told Reuters. He said Chinese intelligence could use the malware to access a range of global targets using government sites for information.
Barger called it a “watering-hole” attack: Employing this method, the attackers obtain information from a number of victims and then follow up by extracting even more data from them.
The discovery of the malware on Afghanistan government websites came in the wake of a recent cyberattack on the Sony Pictures Entertainment computer network in the U.S. Since Nov. 24, the hack has exposed the content of Sony emails, data on executive salaries and personal information about employees, as well as copies of as-yet-unreleased films made by the company.