On 29 March 2017 the German Federal Office for Information Security (BSI) said in a statement that the website of Israeli newspaper Jerusalem Post was manipulated and linked to a harmful third party. Below is a Google translation of the statement:
“After the cyber attack on the German Bundestag in 2015, some protective functions that the BSI has established for government networks have also been adopted by the German Bundestag for its own networks. Since the beginning of January 2017, the BSI, as the national cyber security agency, has been in close contact with the German Bundestag, due to the network traffic of the German Bundestag. At the request of the German Bundestag the BSI analyzed these problems in network traffic. The technical analyzes have been completed. The website of the Jerusalem Post was manipulated and linked to a harmful third party. Within the framework of the analyzes, however, the BSI has not discovered any malicious software; infections are also not known to the BSI.”
As part of our monitoring of Iranian threat agents activities, we have detected that since October 2016 and until the end of January 2017, the Jerusalem Post, as well as multiple other Israeli websites and one website in the Palestinian Authority were compromised by Iranian threat agent CopyKittens. Based on the time-frame and nature of the compromises, we estimate with high certainty that the statement by German Federal Office for Information Security refers to the same incidents.
Watering hole attacks
Specifically from this URL: https://js.jguery[.]net/jquery.min.js
Below are screenshots of infected website’s source code showing jguery[.]net being loaded (click images to enlarge).
Jerusalem post website (www.jpost.com):
Maariv – website of a national daily newspaper published in Israel (www.maariv.co.il)
The Israeli Defense Force Disabled Veterans Organization website (inz.org.il)
The Palestinian Ministry of Health (www.moh.gov.ps)
(loaded a from a similar malicious domain – jguery[.]online):
The student personal info log-in page of Tel Aviv University (www.ims.tau.ac.il)
This was captured by PassiveTotal as can be seen in the screenshot below or in the following analysis page: https://passivetotal.org/search/jguery.net.
By the time we examined the website the malicious code was removed.
Source of the compromise?
While monitoring online hacking communities, we identified that in October 2016 an actor sold access to the management panel of a server belonging to an Israeli hosting company. This server hosted the Jerusalem Post and Maariv, among other websites.
We estimate with medium certainty, that the attackers bought access to the server in order to deploy the malicious code.
Indicators of compromise
Other parts of this campaign were revealed recently by Domaintools.
Domains in use by CopyKittens: