Cyber Incident Victim: Ministry of Finance, Lebanon
Date:
Sep 2018
Location:
Lebanon
Summary
A cyberespionage campaign targeted Lebanese government entities and a private airline, employing malicious job-themed websites and macro-laced Office documents to deploy "DNSpionage" malware. The malware established covert communication channels via HTTP and DNS, including DNS tunneling for data exfiltration, while attackers redirected DNS for compromised domains and generated fraudulent TLS certificates to blend with legitimate traffic. The adversary demonstrated detailed knowledge of victim infrastructure to evade detection, creating specific directories and files on infected systems to manage operations. The campaign's impact involved potential unauthorized access and data theft from critical Middle Eastern organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2018, a cyberespionage campaign dubbed "DNSpionage" targeted Lebanese government entities, including the Finance Ministry, and a private Lebanese airline, alongside United Arab Emirates (UAE) organizations. Cisco Talos discovered the campaign, which involved compromising .gov domains through malicious infrastructure designed to evade detection. Attackers deployed fake websites mimicking legitimate job portals, hosting weaponized Microsoft Office documents embedded with macros. When victims enabled macros, the documents executed malware that established persistence on infected systems. The attackers demonstrated detailed knowledge of the victims' network infrastructure, allowing them to operate discreetly. Concurrently, the threat actors hijacked DNS records for targeted domains, redirecting them to attacker-controlled servers. During these redirections, they generated valid Let's Encrypt TLS certificates for the compromised domains to avoid raising suspicion. The full extent of successful DNS hijackings remained unconfirmed, though the activity indicated an intent to intercept or manipulate communications.
The DNSpionage malware created a dedicated directory structure at "%UserProfile%\.oracleServices/" containing subfolders for logs, downloads, uploads, and configuration files, along with a malicious executable ("svshost_serv.exe"). It communicated with command-and-control (C2) servers using HTTP and DNS protocols, encoding data in base64 within randomized DNS queries for initial system registration and command execution. The malware supported DNS tunneling to covertly exfiltrate stolen information. Forensic analysis revealed no direct links to known threat actors, suggesting a potentially novel operator. The campaign’s primary impact involved unauthorized access to government and private sector networks, risking data theft and surveillance. No specific remediation actions by the Lebanese government or affected entities were detailed in the available reporting, though security researchers emphasized the sophistication of the DNS manipulation and certificate abuse tactics.