The news was big, Afghan Government websites attacked by Chinese
hackers and reported by an American cyber security research company. Local
newspapers and TVs started talking about the issue as if our country was
attacked and intruded by China! National Security Council begun investigating
the issue. What happened later on, none of us really know!
While everyone was talking about the attack happened, nobody
tried to see how did the attack happen and what led to this event. Here i am
sharing what i think went wrong.
Firstly, what happened with the government websites is not
something i would call an attack. It wasn't an attack, nothing was damaged, it
was just one or two lines of javascript code that redirected users to some
other websites (yet to be confirmed after getting a copy of that script). This
is something i would blame the contractor who developed the government
websites.
So, how can a piece of javascript code could be inserted into
the javascript code libraries? Afghan Government websites are developed based
on a custom made Content Management System (CMS). The CMS allows each
government entity running their website in the National Data Center to manage
it online, add new content, update existing content and etc. Each government
client, manage their website based on a pre-designed template given to them by
the web development contractor. All the designs have one thing in common, their
basic look and feel (CSS styles etc) in terms of functionalities and hence use
a standard CSS and Javascript library for all websites and is hosted in the so
called CDN (I call it Content Delivery Network and MCIT call it Centralize
Network Delivery).
Somehow, that malicious piece of javascript code, got into the
Javascript library and as each government website is browsed, the javascript
code is somehow loaded on the client machine browsing the government website.
Now depending on what exactly the payload of the script was, it would do
something, perhaps track the user, download malicious code in the client PC or
something else. From the nature of the script, i could certainly say that it
wasn't something that could go deep in the National Data Center and do any harm
or steal any data. Under one condition, it could compromise the ANDC hosted
data if the client machine which accessed the government websites is infected
by some sort of malware making the client machine infected and thus opening it
for outsiders to access.
Now, lets see what are the options which can lead an outsider to
place that javascript code within the javascript library of ANDC? We have a few
options:
Option 1. There was a bug in the government CMS which led the
attacker to push a javascript code inside the javascript library. The chances
of this option is extremely low. As far as i know, the CMS is secure except a
few minor vulnerabilities of which most are already patched.
Before going to the next options, let me tell you about a
special type of malware that if installed in a machine is able to automatically
append itself to javascript, css and html file codes. I have noticed this alot
as we host hundreds of websites in Afghanistan and a few of our customer's
computers were infected that way which led them to upload infected html, js and
css files on our servers which were later detected by our antivirus and
antimalware scanners. So now lets get back to the next options:
Option 2. The ANDC staff computers were infected by the same
type of malware as described above which led to the javascript files being
infected. Now this could be a possible option if ANDC could confirm wether
their staff have access to updating javascript and css codes of the government
CMS or not? From what i know, its most likely not as for any design and
structural changes which means having access to Javascript, html, code and css
of the CMS, government employees have to contact the web development
contractor.
Option 3. The computers of the web development contractor's
staff were infected with the same type of malware which led the malicious code
to be appended into the javascript library which was later on uploaded to the
ANDC's servers. This is the likely case from all the three scenarios.
Now going back and and reviewing the case, one can say that such
attacks happen mainly due to 2 major reasons which is common in Afghanistan and
are:
1. Use of Pirated
Softwares: Thanks to China, Pakistan and Iran, we get tonnes of pirated
softwares in the local market. Nobody cares to even think what sort of malwares
those softwares come preinstalled with when they install those operating
systems in their computers. Most of the private companies and even government
run pirated software which leads to infected computers right from the point of
installation.
2. Pirated or cracked
Antivirus or not even having a proper antivirus: Most users in Afghanistan does
not use proper antivirus solutions. They get cracked antivirus solutions online
or from the same pirated software distributors in Afghanistan. Most of the
time, these antivirus softwares themselves if cracked could carry malwares,
worms and viruses.
Now what can we do to stop this? The government, private
companies and even individuals should start practicing bans on pirated
softwares. Licensed and clean antivirus solutions should be used particularly
as most of these users go online and face threats of thousands of malicious
codes that maybe hosted on certain websites they browse.
Overall, i would blame poor practice of information security on
the end users more than the possibilities of weak ANDC security!
I would invite all information security professionals to share
their ideas on what they think about this. I am a beginner when it comes to
information security and please do correct me if i am wrong.
