ESET publishes new research into a strategic web hacking campaign targeting media, government, internet service provider and aerospace/military technology company sites, with links to the Middle East and a strong focus on Yemen and the local conflict.
Researchers of ESET, a global leader in the cybersecurity market, have uncovered strategic web compromise (watering hole) attacks against high-profile sites in the Middle East, with a strong focus on Yemen. The attacks are linked to Candiru, a company that sells cutting-edge offensive software tools and related services to government agencies. The affected websites belong to media outlets in the United Kingdom, Yemen and Saudi Arabia, as well as Hezbollah; to government institutions in Iran (Ministry of Foreign Affairs), Syria (including the Ministry of Electricity) and Yemen (including the Ministries of the Interior and Finance); to internet service providers in Yemen and Syria; and aerospace/military technology companies in Italy and South Africa. The attackers also created a website that mimicked a medical industry event in Germany.
A watering hole attack compromises websites that are frequented by targets of interest, thus opening the door to compromising the computer of the user who is visiting the site. In this campaign, specific visitors to these websites were likely attacked via a browser exploit. However, ESET researchers have not tracked down either an exploit or the final payload. This shows that the threat actors have chosen to narrow the focus of their operations and do not want to burn their zero-day exploits, demonstrating how highly targeted this campaign is. Compromised websites are only used as a starting point to achieve final goals.
“Back in 2018, we developed a customized internal system to discover watering holes on high-profile websites. On July 11, 2020, our system notified us that the website of the Iranian Embassy in Abu Dhabi had been contaminated with malicious JavaScript code. Our curiosity was piqued by the high-profile nature of the targeted website, and in the following weeks we noticed that other websites with links to the Middle East had also come into the attackers' sights,” he says Matthieu Faou, researcher at ESET who discovered the watering hole campaigns.
“The group remained quiet until January 2021, when we observed a new wave of compromises. This second wave lasted until August 2021, when all websites were cleaned again like in 2020 – probably by the same authors,” he adds.
“The attackers also imitated a website belonging to the World Forum for Medicine held in Düsseldorf, Germany. The operators cloned the original website and added a small sliver of JavaScript code. It is likely that the attackers were unable to compromise the legitimate website and had to create a fake one to inject their malicious code,” explains Faou.
During the 2020 campaign, the malware monitored the operating system and web browser. Since the selection process was based on computer software, the campaign did not target mobile devices. In the second wave, to be less noticeable, the attackers began to modify the scripts that were already present on the compromised websites.
“In a blog post on Candiru by Citizen Lab at the University of Toronto, the section called ‘A Saudi-Linked Cluster?’ mentions a spearphishing document that was uploaded to VirusTotal and multiple domains operated by the attackers. The domain names are variations of genuine URL shorteners and analysis websites, and the technique is the same as the one used for domains analyzed in watering hole attacks,” explains Faou, linking the attacks to Candiru.
There is, therefore, a significant probability that the operators of the watering hole campaigns are Candiru customers. It is also possible that the document creators and the watering hole operators are the same. Candiru is a private Israeli spyware company that was recently added to the US Department of Commerce's Entity List. This limits US-based organizations from doing business with Candiru without first obtaining authorization from the Department of Commerce.
ESET has not detected activity from this operation since late July 2021, shortly after the publication of blog posts by Citizen Lab, Google and Microsoft detailing Candiru's activities. The operators appear to have taken a break, probably to readjust and make their campaign more covert. ESET Research expects new activity in the coming months.
For more technical details on these attacks against websites in the Middle East, see the blogpost Strategic web compromises in Middle East with a pinch of Candiru su WeLiveSecurity.
