Infected Afghan Government Websites Dole out Chinese Malware to Visitors

Researchers discovered a corrupted JavaScript file was used to host poisonous content on "gov.af" websites, and there are no known antivirus protections available for the malware.

Rich Barger, chief intelligence officer of cybersecurity firm ThreatConnect, says the campaign, "Operation Poisoned Helmand," is linked to the "Poisoned Hurricane" campaign detected this summer by another security firm, FireEye, that tied it to Chinese intelligence.

“The latest attack was very recent and one timestamp associated with the Java file was from Dec. 16, the same day Chinese Prime Minister Li Keqiang met with Afghanistan's chief executive officer, Abdullah Abdullah in Kazakhstan,” according to Reuters.  

The intrusion was a type of "watering-hole" attack in which the perpetrators infect a large number of victims, and then follow up with the most "promising" hits, such as Afghan leaders, to extract data.

The malware was found on numerous Afghan government websites, including the ministries of justice, foreign affairs, education, commerce and industry, finance and women's affairs, and the Afghan embassy in Canberra, Australia.

By late Dec. 21, it appeared that the malicious Java file had either been inactivated by the attackers or removed by the Afghan government.