ESET discovers watering hole attacks on websites in the region
ESET researchers have discovered strategic web compromise (watering hole) attacks against high-profile websites in the Middle East, with a strong focus on Yemen. The attacks are linked to Candiru, a company that sells state-of-the-art offensive software tools and related services to government agencies.
The victimized websites belong to media outlets in the UK, Yemen, and Saudi Arabia, as well as to Hezbollah; to government institutions in Iran (Ministry of Foreign Affairs), Syria (including the Ministry of Electricity), and Yemen (including the Ministries of Interior and Finance); to internet service providers in Yemen and Syria; and to aerospace/military technology companies in Italy and South Africa. The attackers also created a website mimicking a medical trade fair in Germany.
A watering hole attack compromises websites that are likely to be visited by targets of interest, thus opening the door to the infestation of a website visitor’s machine. In this campaign, specific visitors of these websites were likely attacked via a browser exploit. However, ESET researchers were unable to get hold of either an exploit or the final payload. This shows that the threat actors have chosen to narrow the focus of their operations and don’t want to burn their zero-day exploits, demonstrating how highly targeted this campaign is. The compromised websites are only used as a jumping-off point to reach the final targets.
“Back in 2018, we developed a custom in-house system to uncover watering holes on high-profile websites. On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been tainted with malicious JavaScript code. Our curiosity was aroused by the high-profile nature of the targeted website, and in the following weeks we noticed that other websites with connections to the Middle East were also targeted,” says ESET researcher Matthieu Faou who uncovered the watering hole campaigns.
“The threat group went quiet until January 2021, when we observed a new wave of compromises. This second wave lasted until August 2021, when all websites were cleaned again as was the case in 2020 – likely by the perpetrators themselves,” he adds.
“The attackers also mimicked a website belonging to the World Forum for Medicine’s MEDICA Trade Fair held in Düsseldorf, Germany. The operators cloned the original website and added a small piece of JavaScript code. It is likely that the attackers were not able to compromise the legitimate website and had to set up a fake one in order to inject their malicious code,” says Faou.
During the 2020 campaign, the malware checked the operating system and web browser. As the selection process was based on computer software, the campaign was not targeting mobile devices. In the second wave, in order to be a bit stealthier, the attackers started to modify scripts that were already on the compromised websites.
“In a blogpost about Candiru by Citizen Lab at the University of Toronto, the section called ‘A Saudi-Linked Cluster?’ mentions a spearphishing document that was uploaded to VirusTotal and multiple domains operated by the attackers. The domain names are variations of genuine URL shorteners and web analytics websites, which is the same technique used for the domains being seen in the watering hole attacks,” explains Faou, linking the attacks to Candiru.
Thus, there is a significant likelihood that the operators of the watering hole campaigns are customers of Candiru. The creators of the documents and the operators of the watering holes are also potentially the same. Candiru is a private Israeli spyware company that was recently added to the US Department of Commerce’s Entity List. This may prevent any US-based organization from doing business with Candiru without first obtaining a license from the Department of Commerce.
ESET stopped seeing activity from this operation at the end of July 2021, shortly after the release of blogposts by the Citizen Lab, Google, and Microsoft detailing the activities of Candiru. The operators appear to be taking a pause, probably in order to retool and make their campaign stealthier. ESET Research expects them back in the ensuing months.