A recent string of Web site hacks at Amnesty International and other NGOs are evidence of a campaign of cyber espionage directed against human rights orgnaizations, according to a report from The Shadowserver Foundation.
In a report on Tuesday, the Foundation said that its members had witnessed an increase in what it termed “stategic web compromises” in recent weeks. The attacks are designed to target a specific population likely to visit those Web sites, rather than distribute malware far and wide, and include attacks on Web sites for Amnesty International, the Center for Defense Information and other sites in Asia, Europe and North America.
Exploits for newly disclosed vulnerabilities in Adobe Flash and Java. Shadowserver said that, at the time of the report, several “high profile websites are still compromised and serving the most recent Flash exploit.” That vulnerability (CVE-2012-0779) was patched by Adobe in early May and was linked to a series of targeted attacks, the company said. Among those Web sites were the Center for Defense Information, Amnesty International Hong Kong, and the Cambodian Ministry of Foreign Affairs ASEAN, Shadowserver said on Monday. Visiting one of those sites “can initiate a chain reaction in which malicious code is loaded from multiple websites and results in a system compromise for vulnerable systems without other mitigating factors,” the group warned.
The report is supported by anecdotal evidence of a campaign of compromises on sites affiliated with human rights groups. Web properties belonging to Amnesty were targeted in recent weeks, and in December, 2011. In the most recent attacks, a Web property affiliated with Amnesty’s Hong Kong branch was found to be serving up a copy of the GhostRAT Trojan horse programs to those that visited the site. The same program was used in targeted attacks on Free Tibet activists within and outside China, as well as the Tibetan Government in Exile in March.
The Shadowserver Foundation, a volunteer group of Internet security professionals that tracks malware and botnet activity, said that the Amnesty attacks suggest advanced persisten threat (APT) type actors. They are just part of a much larger campaign of targeted attacks. Rather than financial profit, the attackers seek communications, research and development (R&D), intellectual property (IP), and business intelligence, the group said.