Cyber Incident Victim: Jerusalem Center for Public Affairs
Date:
Sep 2014
Location:
Israel
Summary
The official website of an Israeli think tank was compromised to distribute malware via a malicious JavaScript file leveraging the Sweet Orange exploit kit, delivering the Qbot information-stealing Trojan. The malware injected itself into processes, established persistence, harvested system data, and monitored victims' banking visits to collect credentials, while employing anti-analysis techniques and blocking access to security providers' sites. Although the organization typically maintains strong security, this incident was assessed as an opportunistic attack aimed at credential theft, with the compromised site remaining active in serving malware despite notifications to the victim.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2014, security firm Cyphort identified a compromise on the official website of the Jerusalem Center for Public Affairs (JCPA), an Israeli think tank specializing in security and diplomacy. Attackers had planted a malicious JavaScript file on the site, leveraging the Sweet Orange exploit kit to deliver malware to visitors. This exploit kit, previously observed in attacks against platforms like DailyMotion, exploited vulnerabilities in Java and Internet Explorer to install Qbot, an information-stealing Trojan. Upon infection, Qbot injected itself into running processes, created registry entries for persistence, and harvested system information transmitted to a command-and-control server. The malware then monitored victims’ browsing activity, specifically targeting banking websites to capture login credentials. Analysis revealed Qbot contained anti-virtual-machine and anti-antivirus evasion techniques, along with functionality to block access to security vendors’ websites, hindering remediation efforts. Cyphort noted the binaries referenced a promotional video for a snack brand, suggesting attackers may have sought additional profit through ad revenue.
The incident impacted JCPA website visitors by exposing them to credential theft and system compromise. Cyphort assessed the attack as opportunistic rather than targeted, aiming to gather financial data for cybercriminal use. Despite JCPA’s reputation for robust security, the infection persisted unremediated at the time of Cyphort’s report. The firm attempted to notify JCPA through the organization’s website contact form but received no response. SecurityWeek also sought comment from the think tank without success prior to publication. The ongoing compromise highlighted risks to entities perceived as secure, emphasizing the operational consequences of delayed incident response. No details regarding the number of affected users, internal containment measures, or subsequent remediation efforts were disclosed in available reporting.