The visitors of several official Afghan government websites might have had their devices infected with malware after a threat group believed to have ties to China compromised the sites through a content delivery network (CDN), a new report has revealed.
Chinese threat actors have often been suspected of targeting the systems of high-profile organizations in the United States. However, according to a report from threat intelligence company ThreatConnect, China-based groups appear to be targeting other countries as well.
The list of affected websites includes the Afghan Embassy in Canberra, Australia, the Ministry of Foreign Affairs, the Ministry of Education, the Ministry of Justice, the Office of Administrative Affairs and Council of Ministers, the Ministry of Commerce and Industries, the Ministry of Finance, and the Ministry of Women’s Affairs.
A similar incident was spotted this summer when the website of the embassy of Greece in Beijing was compromised just as China’s prime minister visited his Greek counterpart in Athens.
While some might argue that these were just coincidences, experts have also found links between the attack on Afghan government websites and other campaigns that have been tied to China, including Operation Poisoned Hurricane. Similarities also exist between the malware and the notorious PlugX RAT, a threat often used by Chinese advanced persistent threat (APT) actors, including against targets in Afghanistan.
“As the US and NATO reduce their troop levels in Afghanistan, China is posturing to fill the gap of influence that the west is leaving behind. With plans to facilitate multilateral peace talks with the Taliban and establish major transportation projects which aim to bolster the Afghan economy, Beijing has been eying Afghanistan as part of its broader South Asian strategy,” ThreatConnect explained in a blog post.
“By exploiting and co-opting Afghan network infrastructure that is used by multiple ministerial level websites, Chinese intelligence services would be able to widely distribute malicious payloads to a variety of global targets using Afghanistan’s government websites as a topical and trusted distribution platform, exploiting a single hidden entry point,” the security firm said. “This being a variant of a typical ‘watering-hole’ attack, the attackers will most likely infect victims outside the Afghan government who happened to be browsing any one of the CDN client systems, specifically, partner states involved in the planned troop reduction.”