Cyber Incident Victim: President of Myanmar
Date:
Jun 2021
Location:
Myanmar
Summary
The Myanmar president's website was compromised to distribute malware through a manipulated font package, facilitating a backdoor trojan linked to a suspected Chinese state-sponsored hacking group. The malware, connected to a command-and-control server, shared characteristics with earlier spear-phishing campaigns targeting Myanmar entities, suggesting an advanced cyber-espionage operation. This incident mirrors a prior compromise of the presidency's site, which previously hosted EvilGrab malware, and the website remained actively distributing the malicious font package at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 2, 2021, Slovak cybersecurity firm ESET identified a backdoor trojan embedded within a Myanmar Unicode font package available for download on the official website of the Myanmar president’s office. The malware, designed to establish communication with a command-and-control server at IP address 95.217.1[.]81, functioned as a loader to facilitate further malicious activity. Forensic analysis revealed code similarities between this loader and malware samples previously deployed in spear-phishing campaigns targeting Myanmar entities, including archives named “NUG Meeting Report.zip,” “Proposed Talking Points for ASEAN-Japan Summit.rar,” “MMRS Geneva,” “2021-03-11.lnk,” and “MOHS-3-covid.rar.” Researchers attributed these tactics to an advanced cyber-espionage operation with technical overlaps to tools used by Mustang Panda (also tracked as RedEcho or Bronze President), a Chinese state-sponsored threat group historically focused on Myanmar-related targets. The attackers compromised the presidency’s website to host a watering hole attack, manipulating the font package to distribute the backdoor. ESET noted this marked a deviation from Mustang Panda’s typical reliance on spear-phishing emails, indicating adaptation in operational methods.
This incident represented the second known compromise of the Myanmar president’s website for malware distribution. Between November 2014 and May 2015, suspected Chinese state-linked actors had similarly exploited the site to disseminate EvilGrab malware, underscoring recurring targeting of the platform for espionage. As of June 2, 2021, the website remained actively compromised, with the malicious font package still accessible to visitors. ESET advised against downloading or installing the compromised software due to persistent infection risks but did not disclose remediation efforts by Myanmar authorities. The operation demonstrated sustained interest in Myanmar’s political infrastructure by sophisticated actors, leveraging trusted government resources to deliver payloads aligned with strategic intelligence-gathering objectives.