Cyber Incident Victim: Croatian government
Date:
Feb 2019
Location:
Croatia
Summary
A state-sponsored hacking group targeted government employees through a spear-phishing campaign impersonating postal and retail services, delivering malicious Excel documents via deceptive links. The macros within these documents deployed two post-exploitation tools: the known Empire backdoor and the previously unseen SilentTrinity malware, marking its first active use in attacks. Upon execution, the malware enabled attackers to take control of compromised systems and execute arbitrary commands under user privileges. The campaign remained undetected for months before being identified, prompting the national cybersecurity authority to issue alerts with indicators of compromise for system checks. Connections were observed between the command-and-control infrastructure used in these attacks and prior operations targeting Ukrainian government entities with similar tools, though no explicit attribution was made. The incident highlighted a coordinated effort leveraging publicly available code and infrastructure overlaps.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between February and April 2019, Croatian government employees were targeted in a spear-phishing campaign by a suspected state-sponsored hacker group. Attackers impersonated Croatian postal and retail services, sending emails containing links to fraudulent websites designed to mimic legitimate delivery notification portals. These sites prompted users to download Excel documents laden with malicious macro scripts. Analysis revealed the scripts were largely assembled from publicly available code snippets sourced from platforms like StackOverflow, GitHub, Issuu, Rastamouse.me, and Dummies.com. When enabled, the macros deployed one of two post-exploitation frameworks onto victim systems: the Empire backdoor, part of a known penetration testing toolkit, or a previously unseen malware payload called SilentTrinity. This marked the first documented use of SilentTrinity in active attacks, as disclosed during a May 2019 presentation at the Positive Hack Days conference. The malware granted attackers full control over compromised computers, enabling arbitrary command execution under the privileges of the user who activated the macro.
The Croatian Information Systems Security Bureau (ZSIS) detected the campaign in early April 2019 and issued two alerts containing technical indicators of compromise, including malicious filenames, registry keys, URLs, and command-and-control server IP addresses. Authorities instructed government agencies to scan systems and review logs for infections. Croatian Post took steps to dismantle fraudulent websites and servers linked to the campaign, though both malware variants remained operational at the time of reporting. Investigators identified infrastructure overlaps with earlier attacks, notably a FireEye-documented campaign exploiting a WinRAR vulnerability to distribute the Empire backdoor against Ukrainian government targets using identical C&C servers. While no formal attribution was made, the Ukrainian targeting pattern aligned with historical Russian cyber operations dating to the 2014 Crimea invasion. Researchers emphasized the campaign’s scale through interconnected domains, hosts, and infrastructure, but refrained from conclusively identifying the responsible threat actor.