ThreatConnect, a Virginia-based cyber-security firm, said its researchers last week found a corrupted JavaScript file that is being used to host content on "gov.af" websites, and there are no antivirus protections available for the malware.
Rich Barger, chief intelligence officer of ThreatConnect, told Reuters his company was confident the new campaign, "Operation Poisoned Helmand," was linked to the "Poisoned Hurricane" campaign detected this summer by another security firm, FireEye, that linked it to Chinese intelligence.
He said the latest attack was very recent and one timestamp associated with the Java file was from December 16, the same day Chinese Prime Minister Li Keqiang visited Afghanistan to meet with Afghanistan's chief executive officer, Abdullah Abdullah.
China is seeking to take a more active role in Afghanistan as the United States and NATO reduce their military presence.
"We found continued activity from Chinese specific actors that have used the Afghan government infrastructure as an attack platform," Barger said, noting that Chinese intelligence could use the malware to reach a wide array of global targets checking trusted Afghan government sites for information.
Barger said the attack was a variant of what he called a typical "watering-hole" attack in which the attackers infect a large number of victims, and then follow up with the most "promising" hits to extract data.
He said researchers this summer saw a malicious Java file on the website of the Greek embassy in Beijing while a high-level delegation led by Keqiang was visiting Greek Prime Minister Antonis Samaras in Athens.
The two events were not directly related, Barger said, and additional research was needed into the status of ministerial and official government websites on or around the dates of notable Chinese delegations and or bilateral meetings.
The malware was found on a variety of Afghan government websites, including the ministries of justice, foreign affairs, education, commerce and industry, finance and women's affairs, according to ThreatConnect, which was formerly known as CyberSquared.
The report emerged as the United States sought help from China, Japan, South Korea and Russia in combating cyber-attacks such as the one Washington on Friday accused North Korea of carrying out against Sony Pictures.
© Thomson Reuters 2014
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.