afghan ministry websites cyber attack

Author: Farshid Ghyasi, President/CEO NETLINKS

The news was big, Afghan Government websites attacked by Chinese hackers and reported by an American cyber security research company. Local newspapers and TVs started talking about the issue as if our country was attacked and intruded by China! National Security Council begun investigating the issue. What happened later on, none of us really know!

While everyone was talking about the attack happened, nobody tried to see how did the attack happen and what led to this event. Here i am sharing what i think went wrong.

Firstly, what happened with the government websites is not something i would call an attack. It wasn’t an attack, nothing was damaged, it was just one or two lines of javascript code that redirected users to some other websites (yet to be confirmed after getting a copy of that script). This is something i would blame the contractor who developed the government websites.

So, how can a piece of javascript code could be inserted into the javascript code libraries? Afghan Government websites are developed based on a custom made Content Management System (CMS). The CMS allows each government entity running their website in the National Data Center to manage it online, add new content, update existing content and etc. Each government client, manage their website based on a pre-designed template given to them by the web development contractor. All the designs have one thing in common, their basic look and feel (CSS styles etc) in terms of functionalities and hence use a standard CSS and Javascript library for all websites and is hosted in the so called CDN (I call it Content Delivery Network and MCIT call it Centralize Network Delivery).

Somehow, that malicious piece of javascript code, got into the Javascript library and as each government website is browsed, the javascript code is somehow loaded on the client machine browsing the government website. Now depending on what exactly the payload of the script was, it would do something, perhaps track the user, download malicious code in the client PC or something else. From the nature of the script, i could certainly say that it wasn’t something that could go deep in the National Data Center and do any harm or steal any data. Under one condition, it could compromise the ANDC hosted data if the client machine which accessed the government websites is infected by some sort of malware making the client machine infected and thus opening it for outsiders to access.

Now, lets see what are the options which can lead an outsider to place that javascript code within the javascript library of ANDC? We have a few options:

Option 1. There was a bug in the government CMS which led the attacker to push a javascript code inside the javascript library. The chances of this option is extremely low. As far as i know, the CMS is secure except a few minor vulnerabilities of which most are already patched.

Before going to the next options, let me tell you about a special type of malware that if installed in a machine is able to automatically append itself to javascript, css and html file codes. I have noticed this alot as we host hundreds of websites in Afghanistan and a few of our customer’s computers were infected that way which led them to upload infected html, js and css files on our servers which were later detected by our antivirus and antimalware scanners. So now lets get back to the next options:

Option 2. The ANDC staff computers were infected by the same type of malware as described above which led to the javascript files being infected. Now this could be a possible option if ANDC could confirm wether their staff have access to updating javascript and css codes of the government CMS or not? From what i know, its most likely not as for any design and structural changes which means having access to Javascript, html, code and css of the CMS, government employees have to content the web development contractor.

Option 3. The computers of the web development contractor’s staff were infected with the same type of malware which led the malicious code to be appended into the javascript library which was later on uploaded to the ANDC’s servers. This is the likely case from all the three scenarios.

Now going back and and reviewing the case, one can say that such attacks happen mainly due to 2 major reasons which is common in Afghanistan and are:

  1. Use of Pirated Softwares: Thanks to China, Pakistan and Iran, we get tonnes of pirated softwares in the local market. Nobody cares to even think what sort of malwares those softwares come preinstalled with when they install those operating systems in their computers. Most of the private companies and even government run pirated software which leads to infected computers right from the point of installation.
  2. Pirated or cracked Antivirus or not even having a proper antivirus: Most users in Afghanistan does not use proper antivirus solutions. They get cracked antivirus solutions online or from the same pirated software distributors in Afghanistan. Most of the time, these antivirus softwares themselves if cracked could carry malwares, worms and viruses.

Now what can we do to stop this? The government, private companies and even individuals should start practicing bans on pirated softwares. Licensed and clean antivirus solutions should be used particularly as most of these users go online and face threats of thousands of malicious codes that maybe hosted on certain websites they browse.

Overall, i would blame poor practice of information security on the end users more than the possibilities of weak ANDC security!

I would invite all information security professionals to share their ideas on what they think about this. I am a beginner when it comes to information security and please do correct me if i am wrong.


  • The Khaama Press News Agency is the leading and largest English news service for Afghanistan with over 3 million hits a month. Independent authors/columnists and experts are welcome to contribute stories, opinions and editorials. Send stories to [email protected]