Government Agencies, Utilities Among Targets of 'VOHO' Cyber-Spy Attacks
An analysis of a cyber-espionage attack finds that a stealthy Trojan infected nearly 1,000 organizations using the uncommon "waterhole" attack.
The computer systems of nearly 1,000 companies, government agencies and nonprofit organizations were compromised in a cyber-espionage operation that used semi-targeted attacks—known as waterhole attacks—to infect systems within certain industries, such as international finance, utilities, defense and government contractors, security firm RSA stated in a report released on Sept. 26. The campaign, dubbed VOHO by RSA, compromised Websites whose audiences lived in specific regions—near Boston and Washington, D.C., or whose audiences sought out specific types of information, such as political activism, defense or education. In an analysis of the attacks, security giant RSA found that more than 32,000 systems were redirected from compromised Web servers and, of those systems, 12 percent were infected with the malicious software. Such an attack strategy is known as a "waterhole" operation. Attackers identify Websites that their intended targets are likely to visit and then compromise those sites with code designed to redirect visitors to another server that attempts to infect the victim's computer. "They are casting a wide net in hopes that by doing so, they are going to impact a number of entities, but most importantly, the targets have relevance to what they are looking for," said Will Gragido, advanced threat intelligence lead for the FirstWatch team at RSA.
The attacks installed a remote access Trojan, known as Gh0st RAT, previously identified in cyber-espionage attacks against religious and political organizations and technology companies. In the case of the latest operation, the remote-access Trojan was installed by what appeared to be an update for Microsoft or Symantec software, the report stated.