Cyber Incident Victim: President of Myanmar

On May 12, 2015, Unit 42 identified a watering hole attack involving the official website of the President of Myanmar, hosted at "www.president-office.gov[.]mm." The compromise involved threat actors injecting an inline frame (IFRAME) into a JavaScript file utilized by the Drupal content management system for the site's theme. This malicious modification caused visitors to the main page of the website to automatically trigger the exploit. Evidence indicated the threat actors had maintained unauthorized access to the website since at least November 2014, suggesting a prolonged period of compromise prior to discovery. The attackers selected this high-profile government website to target individuals within Myanmar, those engaged in political relations with the country, and organizations conducting business there, with the apparent objective of intelligence gathering. The watering hole technique leveraged the site's legitimate traffic to deliver malware to visitors without requiring additional interaction beyond accessing the compromised page.

Following Unit 42's notification of the infection to website operators, immediate remediation actions were taken, including taking the original "president-office.gov.mm" domain offline. A replacement website with identical content was subsequently established at "www.myanmarpresidentoffice.info," which retained structural and contextual elements from the original site but contained no traces of the exploit code. The domain migration appeared to be part of the remediation strategy to restore official online presence while eliminating the compromise. The swift takedown of the infected site prevented further exploitation through this vector, though the six-month minimum access period prior to detection allowed significant opportunity for threat actor operations. The incident demonstrated the targeting of governmental digital assets to facilitate espionage against specific demographic groups through trusted online resources.