The investigation focuses on spyware from the Israeli company Candiru. ESET exposes watering hole attacks on the media, governments and defense companies. The targets are the websites of the companies.
The researchers at the European IT security manufacturer ESET have uncovered strategic attacks on the websites of the media, governments, Internet service providers and aviation and defense companies. According to current knowledge, the focus is on organizations in countries in the Middle East or with connections there. The affected countries are Iran, Saudi Arabia, Syria, Italy, Great Britain, South Africa and primarily Yemen.
Targeting German websites
Germany was also targeted by cyber spies: the attackers falsified the website of the Düsseldorf-based medical fair Medica. The hacking campaign may be closely related to Candiru, an Israeli spy software maker. The US Department of Commerce blacklisted the company in early November 2021 for selling cutting-edge attack software and services to government agencies. The ESET security researchers published technical details at https://www.welivesecurity.com/deutsch/2021/11/17/watering-hole-angriff-im-nahen-osten/
The range of the attacked websites is considerable
- Media in the UK, Yemen and Saudi Arabia and on Hezbollah
- Government institutions in Iran (Foreign Ministry), Syria (including Ministry of Electricity) and Yemen (including Ministry of Interior and Finance)
- Internet service providers in Yemen and Syria
- Aerospace / military engineering company based in Italy and South Africa
- Medical trade fair in Germany
Maximum secrecy in watering hole attacks
So-called "watering hole attacks" were used, which are aimed specifically at Internet users in a certain industry or function. Cyber criminals identify those websites that are frequently visited by the victims. The aim is to infect the website with malware and also the computers of those target persons. In this discovered campaign, certain visitors to the websites were likely attacked via a browser exploit. This was done in a highly targeted manner and with minimal use of zero-day exploits. Obviously, the actors worked in a highly focused manner and tried to narrow down the operations. They probably wanted to avoid their actions becoming known in any way. There is hardly any other explanation for the fact that ESET was unable to discover exploits or payloads.
ESET Vulnerability System sounded the alarm as early as 2020
“In 2018, we built a custom internal system to uncover vulnerabilities on high-profile websites. On July 11, 2020, our system reported that the website of the Iranian embassy in Abu Dhabi was infected with malicious JavaScript code. Our curiosity was piqued as it was a government website. In the weeks that followed, we noticed that other websites with connections to the Middle East were also being attacked,” says ESET researcher Matthieu Faou, who uncovered the Watering Hole campaigns.
During the 2020 campaign, the malicious code used checked the operating system and the web browser used. Only stationary computer systems and servers were attacked. In the second wave, the attackers started modifying scripts that were already on the compromised websites. This allowed the attackers to act unnoticed. “After a prolonged hiatus that lasted until January 2021, we saw new attack campaigns. This second wave lasted until August 2021,” adds Faou.
MEDICA in Düsseldorf was also attacked
The attackers were also active in Germany and falsified a website belonging to the MEDICA trade fair (“World Forum for Medicine”). In doing so, they cloned the original website and added a small piece of JavaScript code. It is likely that the attackers were unable to compromise the legitimate website. So they were forced to set up a fake website to inject the malicious code.
Israeli spyware company Candiru in the twilight
A blog post by Citizen Lab at the University of Toronto about the Israeli company Candiru reports in the section “A Saudi-Linked Cluster?” a spearphishing document that was uploaded to VirusTotal. Also mentioned were several domains operated by the attackers. The domain names are variations of real URL shorteners and web analytics websites. "So it's the same technique used for the domains in the watering hole attacks," explains the ESET researcher, linking the attacks to Candiru.
It is not unlikely that the operators of the watering hole campaigns could be customers of Candiru. The Israeli espionage company was recently added to the US Department of Commerce's Entity List. This can prevent any US based organization from doing business with Candiru without first obtaining a license from the Department of Commerce.
Current status
The people behind the watering hole attacks seem to be taking a break. They may be using the time to retrofit their campaign and make it less conspicuous. ESET security researchers expect to be active again in the coming months. Further technical details on these watering hole attacks on websites in the Middle East can also be found online at ESET.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.