Cyber Incident Victim: tracking.dgip.gov[.]pk
Date:
Mar 2019
Location:
Pakistan
Summary
A Pakistani government passport application tracking site was compromised to deliver the ScanBox reconnaissance framework, which logged visitors' keystrokes and harvested their machine information directly through browser-executed JavaScript without requiring malware installation. The attackers leveraged an evolved version of the tool, historically associated with groups like Stone Panda and LuckyMouse, which additionally attempted to detect the presence of 77 security, decompression, and virtualization products on victims' systems. This incident enabled covert data collection from users interacting with the compromised platform.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Pakistani government website tracking.dgip.gov[.]pk, operated by the Directorate General of Immigration & Passports for passport application tracking, was compromised to deliver the ScanBox reconnaissance framework to visitors. The intrusion, discovered by Trustwave's SpiderLabs Research team and publicly reported on March 14, 2019, involved attackers injecting malicious JavaScript code into the site to enable keystroke logging and system information harvesting without requiring malware installation on victim devices. The ScanBox framework executed automatically in visitors' browsers, capturing typed input and collecting detailed machine information from users accessing the passport tracking service. This specific ScanBox variant also attempted to detect the presence of 77 endpoint security, decompression, and virtualization tools on visitors' systems, with most targeted products being cybersecurity solutions. The compromise represented a continuation of ScanBox's evolution since its initial documentation by AlienVault researchers in 2014-2015, with previous deployments linked to advanced threat groups including Stone Panda in 2017 and LuckyMouse in 2018.
The attack exposed visitors to credential theft and surveillance risks, particularly concerning given the site's function handling passport application data. By leveraging a legitimate government domain, attackers increased the likelihood of successful exploitation through inherent user trust in the platform. The JavaScript-based keylogging functionality operated transparently to users, requiring no interaction beyond normal website browsing. While the exact duration of the compromise and number of affected individuals were not disclosed, the incident demonstrated the attackers' focus on reconnaissance through security product detection and system profiling. The compromised subdomain served both as an attack vector and intelligence-gathering platform, enabling threat actors to identify high-value targets based on their security configurations. No containment measures or official responses from Pakistani authorities were detailed in the available reporting, leaving the operational impact and remediation status unconfirmed.