The Anomali Threat Research Team identified a credential harvesting campaign designed to steal login details from multiple government procurement services. The procurement services are used by many public and private sector organizations to match buyers and suppliers.
In this campaign, attackers spoofed sites for multiple international government departments, email services and two courier services. Lure documents sent via phishing emails were found to contain links to spoof phishing sites masquerading as legitimate login pages relevant to the spoofed government agencies. Victims duped into following the phishing email link would then be invited to login. Anyone who fell victim to the adversaries would have provided them with their credentials.
Spoofed organizations:
- United States – U.S. Department of Energy
- United States – U.S. Department of Commerce
- United States – U.S. Department of Veteran Affairs
- United States – New Jersey House and Mortgage Finance Agency
- United States – Maryland Government Procurement Services
- United States – Florida Department of Managed Services
- United States – Department of Transport
- United States – Department of Housing and Urban Development
- DHL International courier service
- Canada – Government eProcurement service
- Mexico – Government eProcurement services
- Peru – Public Procurement Centre
- China – SF-Express courier service
- China – Ministry of Transport
- Japan – Ministry of Economy, Trade and Industry
- Singapore – Ministry of Industry and Trade
- Malaysia – Ministry of International Trade and Industry
- Australia – Government eProcurement Portal
- Sweden – Government Offices National Public Procurement Agency
- Poland – Trade and Investment Agency
- South Africa – Government Procurement Service
At present, it is not clear who the threat actors are but it does appear to be a persistent attack. Spoofed phishing site domains are hosted in Turkey and Romania. The campaign is currently dormant.
The focus on these services suggests the threat actor(s) are interested in potential contractor(s) and/or supplier(s) for those governments targeted. The purpose of this insight could be a financial incentive to out compete a rival bidder, or more long term insight regarding the trust relationship between the potential supplier and the government in question. Campaigns like these are difficult to protect against because unless the domains hosting the phishing pages are known as malicious, an organizations firewall will not know to block it. Legitimate sites were also hosting the phishing pages, and were likely compromised as part of the campaign.