Over the past year, FireEye Threat Intelligence has identified suspected nation-state sponsored cyber-actors engaged in a large-scale reconnaissance effort. This effort makes use of web analytics—the technologies to collect, analyze, and report data
The individuals behind this activity have amassed vast amounts of information on web traffic and visitors to over 100 websites – sites that the threat actors have selectively compromised to gain access to their collective audience. When an Internet user navigates to one of the compromised websites they are secretly redirected to a second site that hosts a script named WITCHCOVEN.
This script collects detailed information about the user’s computer and installs a persistent tracking tool, called a “supercookie,” which becomes part of a unique "digital fingerprint" that can be used to identify the user's computer from that point forward. We believe the actors analyze the collected data to identify unique users and pair them with information about their computer to later deploy exploits tailored to their particular software and computer configuration.
The reconnaissance is most likely the work of cyber threat actors aligned with a government based on the extensive collection of data, the culprits’ operational restraint, and our assessment of their probable targets.
In this report, FireEye Threat Intelligence analysts explore the reconnaissance effort and how the same methods that fuel effective content delivery and e-commerce can potentially allow malicious actors to identify and target victims with pinpoint precision. This is the dark side of web analytics.
Pinpointing Targets: Exploiting Web Analytics to Ensnare Victims
Thurs, Nov. 19, 2015 (11 am ET/8 am PT)
 Kaspersky Labs, Symantec, and iSIGHT Partners have reported on campaigns similar, and possibly related to, the activity we describe in this report.