News release

Date: 17th July 2013

Beware the Crouching Tiger at the Watering Hole says Context

State sponsored hackers turn to stalking tactics to snare prey

London, UK - July 17th, 2013. Researchers at Context Information Security warn that watering hole cyber attacks are increasingly being used by state sponsored hackers to compromise large target groups within the same industries. Rather than chasing victims with spear phishing techniques, attackers compromise popular trusted websites to trap visitors and infect their machines with malware.

While Facebook, Apple and Twitter are among the major names that have already fallen victim to watering hole attacks, Context is seeing more activity aimed at commercial and financial sites. Researchers recently detected an attack on the website that belongs to US-based Information Handling Services Inc., the parent company to Jane's Information Group - one of the preeminent sources of information and analysis on military and intelligence matters; Global Insights – a well-established player in financial, economic and political analysis; and Cambridge Energy Research Associates (CERA) – advisers to companies and governments on energy and geopolitics.

“In this case the predatory tiger was a state sponsored attacker and the prey was the target companies visiting the site,” explained Mark Raeburn, CEO at Context. “Our Response Team picked up traffic beaconing activity from a Remote Access Trojan (RAT) known as PlugX, which gives an attacker control over a compromised host and is suspected of being attributable to one of the more aggressive and active Chinese state-sponsored groups.”

When users visited the compromised web site, a Java archive signed by a fake certificate using the legitimate name was downloaded onto the victim’s machine. This redirected the user to a malicious domain that downloaded and executed the .exe PlugX file and within ten seconds, the RAT started receiving commands and sending data to a third, attacker controlled, domain.

For one major FTSE 250 company infected by the Watering Hole attack, Context was able to track down seven other hosts spread across four countries that had been successfully compromised. Further investigation showed over the time elapsed since the attack, anti-virus software had cleaned up six of the seven compromised hosts, an unusually high success rate for AV when it comes to targeted attacks.

Context believes that some of this increased watering hole attack activity is driven by nation state or associated actors. In this particular instance the watering hole is likely to have been setup by a group referred to as ‘FlowerLady’ or ‘FlowerShow’, thought to be Chinese in origin and state-sponsored, as opposed to managed directly by the Chinese state. This group is not known to be affiliated to any particular organisation and attacks Western companies on an opportunistic basis looking for information of economic, technological or military significance, which can be passed onto the Chinese state or companies for further exploitation.

The site has now been cleaned up and is no longer a watering hole threat, but it is unclear how many visitors were compromised, or how many still remain infected. “Phishing campaigns are often seen as the primary, or only, avenue of compromise when it comes to targeted attacks, but companies need to be more aware of the threat from alternative vectors such as watering hole attacks and take measures to identify malicious activity and mitigate the risks, regardless of the source,” said Mark Raeburn, CEO at Context. “Better awareness and activity monitoring, including information from across the network and down to the level of individual PCs, is vital and should be combined with a robust programme of proactive security improvement.”

Context has published more information about the watering hole attack at:

About Context
Context was launched in 1998 and has a client base that includes some of the world’s most high profile blue chip companies, alongside government organisations. An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents. Many of the world's most successful organisations turn to Context for technical assurance, incident response and investigation services. Context is also at the forefront of research and development in security technology.

As well as publishing white papers and blogs addressing current and emerging security threats and trends, Context consultants are frequently invited to present at open and closed industry events around the world. Context delivers a comprehensive portfolio of advanced technical services and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide.

For more information for editors, please contact:
Peter Rennison / Allie Andrews
PRPR, Tel + 44 (0)1442 245030 / + 44 (0)7831 208109
pr[at]prpr[dot]co[dot]uk / allie[at]prpr[dot]co[dot]uk

Close This Window