Cyber Incident Victim: Ministry of Nature Protection and Natural Resources of the Republic of Artsakh
Date:
Jan 2019
Location:
Armenia
Summary
A government ministry website in Artsakh was compromised as part of a watering hole campaign attributed to the Turla APT group, targeting multiple Armenian entities including diplomatic and financial organizations. Attackers injected malicious JavaScript into the site to deliver a fake Adobe Flash update, deploying previously undocumented malware such as NetFlash (a .NET downloader) and PyFlash (a Python-based backdoor) to execute commands, collect system information, and establish persistence on victim machines. The operation relied on social engineering rather than exploits, selectively profiling visitors through browser fingerprinting and persistent tracking cookies to deploy payloads for espionage purposes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Turla advanced persistent threat group compromised the Armenian Ministry of Nature Protection and Natural Resources website (mnp.nkr.am) as part of a strategic web compromise campaign active since at least January 2019. Attackers gained unauthorized access to the website's infrastructure and injected obfuscated JavaScript code into the jquery-migrate.min.js library file, enabling redirection of visitors to a malicious domain (skategirlchina.com). This secondary domain delivered fingerprinting scripts that deployed persistent tracking cookies across multiple browser storage mechanisms, collecting system information including installed plugins, screen resolution, and OS details. Visitors matching targeting criteria received a fraudulent Adobe Flash Player update prompt via an injected iframe, which social-engineered users into downloading malicious executables disguised as legitimate installers. Between January and August 2019, successful compromises installed the Skipper backdoor—a known Turla malware variant documented since 2017—which communicated with command-and-control infrastructure hosted on the same skategirlchina.com domain under /wp-includes/ms-locale.php. The malware executed alongside legitimate Adobe Flash binaries to maintain the illusion of authenticity.
In late August 2019, Turla operators shifted tactics by deploying new .NET-based malware (NetFlash) followed by a Python-based backdoor (PyFlash). NetFlash downloaders retrieved PyFlash payloads from hardcoded IP addresses and established persistence through scheduled tasks. The PyFlash backdoor, compiled via py2exe, represented Turla's first documented use of Python in operational malware. It executed system reconnaissance commands (systeminfo, tasklist, ipconfig) and exfiltrated results via AES-encrypted HTTP communications to predetermined C2 servers. ESET telemetry indicated highly selective targeting, with only a limited number of visitors receiving the final payload. The campaign remained active until November 2019 when skategirlchina.com ceased malicious operations. ESET researchers coordinated with the Armenian national CERT team to disclose findings prior to public reporting in March 2020, though specific remediation actions by website operators weren't detailed in available sources. The compromise enabled sustained surveillance of government personnel accessing critical Armenian institutional websites over an eleven-month period.