Government Agencies, Utilities Among Targets in ‘VOHO’ Cyber-Spy Attack | eWeek

Government Agencies, Utilities Among Targets of ‘VOHO’ Cyber-Spy Attacks

Government Agencies, Utilities Among Targets of ‘VOHO’ Cyber-Spy Attacks
Écrit par
Robert Lemos
Robert Lemos
Sep 27, 2012
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

The computer systems of nearly 1,000 companies, government agencies and nonprofit organizations were compromised in a cyber-espionage operation that used semi-targeted attacks—known as waterhole attacks—to infect systems within certain industries, such as international finance, utilities, defense and government contractors, security firm RSA stated in a report released on Sept. 26.

The campaign, dubbed VOHO by RSA, compromised Websites whose audiences lived in specific regions—near Boston and Washington, D.C., or whose audiences sought out specific types of information, such as political activism, defense or education. In an analysis of the attacks, security giant RSA found that more than 32,000 systems were redirected from compromised Web servers and, of those systems, 12 percent were infected with the malicious software.

Such an attack strategy is known as a “waterhole” operation. Attackers identify Websites that their intended targets are likely to visit and then compromise those sites with code designed to redirect visitors to another server that attempts to infect the victim’s computer.

“They are casting a wide net in hopes that by doing so, they are going to impact a number of entities, but most importantly, the targets have relevance to what they are looking for,” said Will Gragido, advanced threat intelligence lead for the FirstWatch team at RSA.

The attacks installed a remote access Trojan, known as Gh0st RAT, previously identified in cyber-espionage attacks against religious and political organizations and technology companies. In the case of the latest operation, the remote-access Trojan was installed by what appeared to be an update for Microsoft or Symantec software, the report stated.

Drive-by attacks typically have a 5 to 10 percent success rate, so the 12 percent infection rate is high, Gragido said. There are a number of factors that could be responsible for the higher infection rate. Victims that trust the compromised Website or service may be more likely to take risky actions that could get their systems infected, he said. In addition, exploit kits that use exploits for vulnerabilities in Java typically have better success rates than those that use older vulnerabilities. About half the exploits used in the VOHO attack targeted Java, according to RSA data.

The attacks compromised a large number of companies, mainly in the financial, health care, and utilities sectors. A large number of local and federal government agencies were also impacted. While RSA did not find traces of the information stolen from the organizations, the collection of targets suggest that the attack may be nation-state related, Gragido said.

“Based on our research, we were not able to establish what they were after in respect to the targets,” he said. “One could, however, say that—based on the targets of interest—it was a cyber-espionage operation.”

The compromised computers communicated with command-and-control servers in Hong Kong, RSA said.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.