The company's researchers cyber securityESET discovered "watering hole" attacks, i.e. strategic website hacking campaigns. This particular attack targeted government websites, online media pages, as well as the websites of internet service providers and aerospace/military technology companies.
Watering-hole is the term used in cybersecurity to describe a targeted strategic attack in which cybercriminals infect a site that they believe is a fertile environment with potential victims. They then wait for the malware to enter the computers of the victims who visited the site. In essence, the word "waterhole" refers to where the animals go to drink water, which makes them vulnerable to predators.
The websites that fell victim to this particular campaign belong to media outlets in the United Kingdom, Yemen and Saudi Arabia, as well as Hezbollah, government agencies in Iran (Ministry of Foreign Affairs), Syria (including the Department of Energy website), and Yemen (including the Departments of Interior and Finance), to Internet service providers in Yemen and Syria, and to aerospace/military technology companies in Italy and South Africa .
At the same time, cybercriminals cloned a site of a medical trade show in Germany. The website belonged to the MEDICA trade show of the World Medical Forum held in Düsseldorf, Germany.
The campaign appears to have strong ties to Candiru, an Israeli spy agency recently blacklisted by the Commerce Department of USA, and which sells state-of-the-art offensive software tools and related services to government agencies.
"In 2018, we at ESET developed a custom system to locate watering holes on high-profile websites," said ESET researcher Matthieu Faou, who unveiled the watering hole campaigns. "On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been infected with malicious JavaScript code. "The high-profile nature of our target made an impression and in the following weeks we noticed that other websites with links in the Middle East were also targets."
"The team was silent until January 2021, when we noticed a new wave of violations. "This second wave lasted until August 2021, when all the websites were cleaned up again as they did in 2020 - most likely by the perpetrators themselves."
Σε αυτή την εκστρατεία, κάποιοι επισκέπτες των συγκεκριμένων ιστοσελίδων πιθανότατα να δέχθηκαν επίθεση μέσω ενός browser exploit. Ωστόσο, οι ερευνητές της ESET δεν μπόρεσαν να εντοπίσουν ούτε κάποιο exploit ούτε κάποιο τμήμα του κακόβουλου λογισμικού. Αυτό δείχνει ότι οι κυβερνοεγκληματίες έχουν επιλέξει να περιορίσουν το επίκεντρο των επιχειρήσεών τους και δεν θέλουν να αποκαλύψουν τα zero-day exploits τους, γεγονός που καταδεικνύει πόσο στοχευμένη είναι αυτή η εκστρατεία. Οι παραβιασμένες ιστοσελίδες χρησιμοποιούνται μόνο ως σημείο εκmovements for approaching the final goals.
It is very likely that the people in charge of the watering hole campaigns are Candiru customers. The creators of the documents and the operators of the watering holes are also potentially the same. As Israeli Candiru was recently added to the US Commerce Department's list of financial sanctions, this means that a US-based organization will not be able to work with Candiru without first obtaining permission from the Commerce Department.
"A University of Toronto Citizen Lab blogpost discussing Candiru, under the heading 'A Saudi-Linked Cluster?' mentioned a spearphishing document uploaded to VirusTotal and several domains managed by the attackers. The domain names are variations of genuine URL shorteners and web analytics websites, which is the same technique used for domains seen in watering hole attacks," Faou explains, linking the attacks to the Candiru company.
At the end of July 2021, shortly after the publication of blogposts by Citizen Lab, Google and Microsoft detailing Candiru's activities, ESET ceased to see activity from this company. The pilots seem to be taking a break, most likely to reorganize and disguise their campaign. ESET Research expects them to return in the coming months.
For more technical details on these Web site attacks in the Middle East, read the blogpost “Strategic web compromise in the Middle East with a pinch of Candiru”At WeLiveSecurity.
