Government Agencies, Utilities Among Targets of 'VOHO' Cyber-Spy Attacks

An analysis of a cyber-espionage attack finds that a stealthy Trojan infected nearly 1,000 organizations using the uncommon "waterhole" attack.  

The computer systems of nearly 1,000 companies, government agencies and nonprofit organizations were compromised in a cyber-espionage operation that used semi-targeted attacks—known as waterhole attacks—to infect systems within certain industries, such as international finance, utilities, defense and government contractors, security firm RSA stated in a report released on Sept. 26.

The campaign, dubbed VOHO by RSA, compromised Websites whose audiences lived in specific regions—near Boston and Washington, D.C., or whose audiences sought out specific types of information, such as political activism, defense or education. In an analysis of the attacks, security giant RSA found that more than 32,000 systems were redirected from compromised Web servers and, of those systems, 12 percent were infected with the malicious software.

Such an attack strategy is known as a "waterhole" operation. Attackers identify Websites that their intended targets are likely to visit and then compromise those sites with code designed to redirect visitors to another server that attempts to infect the victim's computer.

"They are casting a wide net in hopes that by doing so, they are going to impact a number of entities, but most importantly, the targets have relevance to what they are looking for," said Will Gragido, advanced threat intelligence lead for the FirstWatch team at RSA.

The attacks installed a remote access Trojan, known as Gh0st RAT, previously identified in cyber-espionage attacks against religious and political organizations and technology companies. In the case of the latest operation, the remote-access Trojan was installed by what appeared to be an update for Microsoft or Symantec software, the report stated.

Drive-by attacks typically have a 5 to 10 percent success rate, so the 12 percent infection rate is high, Gragido said. There are a number of factors that could be responsible for the higher infection rate. Victims that trust the compromised Website or service may be more likely to take risky actions that could get their systems infected, he said. In addition, exploit kits that use exploits for vulnerabilities in Java typically have better success rates than those that use older vulnerabilities. About half the exploits used in the VOHO attack targeted Java, according to RSA data.

The attacks compromised a large number of companies, mainly in the financial, health care, and utilities sectors. A large number of local and federal government agencies were also impacted. While RSA did not find traces of the information stolen from the organizations, the collection of targets suggest that the attack may be nation-state related, Gragido said.

"Based on our research, we were not able to establish what they were after in respect to the targets," he said. "One could, however, say that—based on the targets of interest—it was a cyber-espionage operation."

The compromised computers communicated with command-and-control servers in Hong Kong, RSA said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...