Cybersecurity: This password-stealing hacking campaign is targeting governments around the world

Researchers uncover a phishing campaign attempting to steal login credentials from government departments across North America, Europe and Asia - and nobody knows who is behind it.

How to protect yourself from a worldwide password-stealing campaign

A mysterious new phishing campaign is targeting government departments and related business services around the world in cyberattacks that aim to steal the login credentials from victims.

In total, the phishing attacks have targeted at least 22 different potential victim organisations in countries including the United States, Canada, China, Australia, Sweden and more. All of the attacks involve emails claiming to be related to the targeted government agencies and all of them attempt to trick victims into clicking an email link that asks for their username and password.

Anyone who enters their login credentials into the spoofed government agency websites will give cyber criminals access to their account.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

The campaign has been discovered and detailed by cybersecurity researchers at Anomali; but while it's clear a lot of work has gone into what researchers describe as a 'persistent' campaign, it's unclear who is behind the attacks or what their ultimate motivations are. It could be an effort to conduct corporate espionage.

"It could be that the adversaries are trying to gain access to potential bidders to undercut the competition or to compromise government suppliers for more long-term gain," Sara Moore, cyber-threat intelligence analyst at Anomali, told ZDNet.

The majority of the attacks focus on government departments, but a small percentage also target procurement and logistics firms related to the targets.

The country in which the largest number of these attacks have been seen is the United States with the U.S. Department of Energy, U.S. Department of Commerce and U.S. Department of Veterans Affairs among those targeted.

Those behind the attacks have been careful to create unique lures for each of their targets, using phishing emails containing a lure document purporting to be related to bidding and procurement activity of the department. In each case, the phishing email is written in the native language of the target department's country.

For example, a phishing email targeting the U.S. Department of Commerce claims to contain information related to bidding on commercial products and services, with the target encouraged to open a lure document. The document contains an embedded link, which the target is encouraged to click through to – and it's this that leads to one of the phishing websites.

Like the email and document lures, the phishing website is designed to look like the real one used by the agency or company that's being targeted. These websites have legitimate names, information and documents used by the target in an effort to appear more authentic and avoid suspicion by the user.

While it isn't known what sort of cyber-criminal operation is behind the spoofed websites and associated phishing campaigns, the domains are being hosted in Turkey and Romania. However, although that location doesn't reveal who could be behind the attacks – because the attackers could set up phishing sites from any county in the world and could use any country to host the domains. During Anomali's investigation, a total of 62 domains and 122 phishing websites were uncovered.

SEE: How to spot a phishing email [CNET]

Researchers have notified the relevant CERTs (Computer Emergency Response Teams), informing them about the attacks – although it's currently unknown if the attackers have managed to make away with any stolen credentials.

However, there are things that organisations in all sectors can do in an effort to protect themselves from this campaign or any other phishing attack.

"Organisations should make sure they have access to threat intelligence and research that provides details about the existence of these types of attacks. They should have the ability to integrate intelligence and research into their security infrastructures to enable detection, blocking, and response," said Moore.

"Security-awareness training that teaches employees how to spot and report suspicious phishing email is also crucial," she added.

The full list of known targets as well as the Indicators of Compromise are detailed in the Anomali research paper about the campaign.

MORE ON CYBER SECURITY