In a recent cybersecurity incident, approximately 25 websites associated with the Kurdish minority have fallen victim to a sophisticated watering hole attack designed to collect sensitive information over an extended period of time, reportedly lasting more than 18 months. French cybersecurity firm Sekoia disclosed the details of the campaign, labeled “SilentSelfie,” highlighting initial signs of this intrusion as early as December 2022. The nature of the attacks has raised significant alarm in the cybersecurity community due to their strategic implementation.
The targeted online portals primarily include those linked to Kurdish media, political parties on the far left, and Kurdish administrative organizations. Sekoia’s analysis suggests that these attacks are aimed at delivering four distinct variants of malicious software that can effectively extract personal information, including the users’ geolocation and images from their devices’ cameras. This is indicative of advanced adversary tactics, aligning with MITRE ATT&CK techniques related to initial access, such as watering hole exploitation and information theft.
According to Sekoia, the malicious activity involves the deployment of malicious JavaScript, which discreetly collects a variety of data from individuals visiting these compromised sites. Key data points harvested include users’ geographical locations, device specifications, and public IP addresses. This broad information-gathering approach is characteristic of attacks utilizing Tactics associated with credential access and information collection as per the MITRE framework.
One particular variant of the attack has been observed redirecting unsuspecting users to rogue APK files designed for Android devices. It’s worth noting that some iterations of this malware can track users through cookies, such as one labeled “sessionIdVal,” facilitating continuous monitoring. Moreover, an Android application, disguised as a news application, appears to stealthily access system information, contacts, location data, and files stored on the device, contingent on permissions granted upon installation.
While the precise origin of the SilentSelfie campaign remains uncertain, speculation points to potential involvement by state-sponsored actors, particularly the Kurdistan Regional Government of Iraq, especially in light of recent events involving the detention of a Kurdish journalist in October 2023. The nature of the campaign, although described as lacking sophistication, underscores a newly emerging threat landscape targeting the Kurdish community, which has previously been under the radar of known threat actors such as StrongPity and BladeHawk.
The persistence of this campaign, combined with its affectation of numerous Kurdish websites, raises critical concerns for organizations operating in or engaging with this digital space. As the sophistication level remains relatively low, security vendors suggest that the threat may stem from nascent actors with limited capabilities, signaling a need for heightened vigilance among potential targets.
As the digital threat environment evolves, tracking and understanding these incidents becomes increasingly pivotal for businesses, particularly those in sectors intersecting with susceptible communities. It is essential for organizations to recognize the tactics outlined in the MITRE ATT&CK framework, which could assist in preparing defenses against similar, evolving malicious campaigns in the future. Keeping abreast of these developments not only aids in safeguarding sensitive information but also bolsters resilience against the encroaching risks posed by such targeted attacks.
