Cyber Incident Victim: The consular Section of the Embassy of Armenia in Russia
Date:
Jan 2019
Location:
Armenia
Summary
A watering hole campaign attributed to the Turla group compromised multiple Armenian websites, including the consular section of the Embassy of Armenia in Russia, delivering malware through a fake Adobe Flash update lure. The attackers injected malicious JavaScript into legitimate site files, fingerprinting visitors via persistent tracking mechanisms and selectively deploying payloads to targeted individuals. Initial infections utilized the known Skipper backdoor, later replaced by new .NET and Python-based malware (NetFlash and PyFlash) that collected system information and established command-and-control communication. The operation relied on social engineering rather than exploits, installing both malicious components and legitimate software to evade suspicion while exfiltrating data from government-related targets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving the consular section of the Embassy of Armenia in Russia (armconsul.ru) was part of a broader watering hole campaign attributed to the Turla advanced persistent threat (APT) group. Between at least January 2019 and November 2019, Turla compromised armconsul.ru and three other Armenian websites—mnp.nkr.am (Ministry of Nature Protection of Artsakh), aiisa.am (Armenian Institute of International and Security Affairs), and adgf.am (Armenian Deposit Guarantee Fund)—by injecting malicious JavaScript code into their pages. The attackers appended obfuscated scripts to legitimate files, such as the jquery-migrate.min.js library, to avoid detection. Visitors to these sites were redirected to skategirlchina.com, a domain controlled by Turla, which delivered second-stage JavaScript for browser fingerprinting. This script deployed an "evercookie" using multiple storage mechanisms to persistently track returning visitors, collecting system information like browser plugins, screen resolution, and OS details. Data was sent to Turla's command-and-control (C&C) server, which selectively targeted high-value visitors—likely government officials—with a fake Adobe Flash update prompt. The social engineering lure displayed an iframe urging users to download a malicious installer, avoiding exploit-based compromises.
From January to August 2019, victims who executed the installer received a RAR-SFX archive containing a legitimate Adobe Flash installer and a second archive deploying Skipper, a known Turla backdoor. Skipper’s components showed minimal changes from earlier variants but used skategirlchina.com’s wp-includes/ms-locale.php as its C&C server. In September 2019, Turla shifted payloads to evade detection, replacing Skipper with NetFlash, a .NET downloader, and PyFlash, a Python-based backdoor. NetFlash, dropped as winhost.exe, downloaded PyFlash from hardcoded URLs and established persistence via scheduled tasks. PyFlash, compiled via py2exe, exfiltrated system data (systeminfo, tasklist, ipconfig) to C&C servers over HTTP, encrypting communications with AES. One NetFlash variant connected to 134.209.222.206:15363, indicating infrastructure changes. ESET telemetry revealed limited infections, suggesting highly selective targeting. The campaign was suspended by late November 2019 when skategirlchina.com ceased malicious activity. ESET notified Armenia’s national CERT before public disclosure, though specific containment actions by the affected entities were not detailed in the report. The compromise enabled sustained espionage against Armenian governmental entities, leveraging trusted websites to infiltrate high-value targets.