Cyber security news for all

More

    Watering Hole Attack on Kurdish Platforms Unleashes Harmful APKs and Spyware

    An alarming infiltration campaign has been uncovered, where up to 25 Kurdish-related websites have fallen victim to a sustained watering hole strategy, aiming to siphon off sensitive data for over 18 months.

    Revealed by French cybersecurity group Sekoia, who named the campaign “SilentSelfie,” this cyber onslaught is said to have been quietly festering since at least December 2022, pointing to its prolonged nature.

    These strategic online breaches were crafted to deploy not just one but four distinct flavors of a data-exfiltrating framework, each designed to target victims at different levels of severity.

    “These frameworks ranged from simple ones that only retrieved the user’s geolocation, to more sophisticated variants that could access the device’s selfie camera and lure certain users into installing malicious APK files,” explained security specialists Felix Aimé and Maxime A in their report on Wednesday.

    The sites targeted in this operation span Kurdish media, Rojava’s administrative entities and military units, as well as pages connected to revolutionary far-left political organizations operating in Türkiye and Kurdish regions. Despite the scale, Sekoia disclosed to The Hacker News that the initial method used to compromise these websites remains ambiguous.

    As of now, the attackers have not been conclusively linked to any familiar cyberthreat group, signaling the rise of a fresh threat faction zeroing in on the Kurdish demographic—previously targeted by notorious groups such as StrongPity and BladeHawk.

    Earlier this year, Dutch security firm Hunt & Hackett also reported that Kurdish websites hosted in the Netherlands were targeted by a Türkiye-aligned threat actor named Sea Turtle.

    The watering hole attack’s blueprint involves the insertion of a malicious JavaScript code, which is responsible for vacuuming various types of data from the visitors. This includes their physical location, device-specific information (such as CPU count, battery health, browser settings, etc.), and their public IP address, among other details.

    One notable version of the reconnaissance script, which was observed on sites like rojnews[.]news, hawarnews[.]com, and targetplatform[.]net, even redirected users to fraudulent Android APK files. Furthermore, some versions integrated the ability to track users through a cookie named “sessionIdVal.”

    According to Sekoia’s analysis, the Android app in question embeds the compromised website in a WebView component and covertly hoovers up system details, contact lists, geolocation, and files stored on external storage drives, subject to granted permissions.

    “The malicious code lacks a persistence mechanism, meaning it only functions when the RojNews app is actively opened,” the researchers clarified.

    “Once the user launches the app, a 10-second countdown begins before the LocationHelper service starts transmitting the user’s current location to the URL rojnews[.]news/wp-includes/sitemaps/ through HTTP POST requests, simultaneously awaiting instructions for further actions.”

    While the orchestrators behind SilentSelfie remain cloaked in mystery, Sekoia speculated that the campaign might be tied to the Kurdistan Regional Government of Iraq. This is based on the October 2023 arrest of RojNews journalist Silêman Ehmed by KDP forces, followed by his sentencing to three years imprisonment in July 2024.

    “Despite the campaign’s low complexity, it stands out due to the sheer number of Kurdish websites compromised and its extended duration,” the researchers remarked. “The unsophisticated nature of this operation hints that it could be the work of a nascent threat group with limited resources, still finding its footing in the world of cyber espionage.”

    Recent Articles

    Related Stories