If close proximity to hackers and organized crime is to be considered
as a contributing factor to having your site get owned -- which isn't
always likely to be the case in this world of distributed attacks --
than IT workers at the office of the U.S. Consulate General in St.
Petersburg shouldn't feel too badly that it happened to them, as
embarrassing as it might be.
According to those ever-vigilant researchers over at Sophos, based on
their examination of some cached Web page data, that's exactly what
happened earlier this week.
In the incident that the AV company is reporting, which it identified
as part of a larger campaign the hijack vulnerable Web servers based
in Russia, hackers were able to load malware code onto the consulate
site for an undetermined amount of time before someone discovered the
problem and fixed it (to their credit).
Sophos reported that by scanning cached versions of the consulate's
site, it found that cyber-criminals of some kind had planted a
malicious program known as Mal/ObfJS-C on the site that then
subsequently attempted to load additional malware from a remote server
using the program.
The attack reportedly included an additional piece of malware script
that attempted to exploit several Web browser vulnerabilities to
install a Trojan horse program on the computers of site visitors that
could potentially be used to steal data.
In total, more than 400 Web pages worldwide have been attacked in a
similar fashion in only the last week, according to Sophos'
estimates.
Sophos chief analyst/research guru Ron O'Brien noted that government
agencies are coming under fire from malware attackers on a more
frequent basis these days.
"Over the last few months we have seen a multitude of high profile
organizations and government agencies come under attack by cyber-
criminals; the frequency of these attacks is alarming and signifies
that any organization, no matter the size or stature, is a target for
hackers and malicious activity," he said in a research summary.
After hearing Xerox security mastermind David Drab's stories about his
time working for the FBI in eastern Europe during the 1990s and the
flood of hacking talent he saw move from the KGB and other former
Soviet intelligence agencies into organized crime, it's not that
surprising that the region has become a malware hotbed, but St.
Petersburg, formerly Leningrad, is truly making a name for itself as a
sort of capital for this type of activity.
Most notably the area has become known as the home of the ever-
industrious Russian Business Network, a group of professional hackers
who reportedly operate out of an office building in the city much like
a legitimate company would.
RBN is believed to be the group behind the creation, or at least the
rapid distribution, of the MPack malware development toolkit. MPack
has become one of the most widely-used toolkits on the underground
market, according to researchers, and has recently been linked to
attacks on banking sites in India and the massive attack on over
10,000 Italian Web sites dubbed by analysts as the "Italian Job."
So, here's hoping that U.S. consulate workers can find a way to
prevent such attacks from taking over their sites in the future. But,
at the end of the day, the big story has to be that someone needs to
stop RBN and the other St. Pete hacker gangs from taking over the
world (wide Web).
More details of this Mal/ObfJS-C virus:
http://www.sophos.com/security/analyses/malobfjsc.html