This year has seen an uptick in so-called ‘watering hole’ attacks – in which hackers compromise a website to target its readers – on political news sites covering the Middle East, Hong Kong and North Korea. Cybersecurity experts advise organisations to consider whether they might have an audience that state-backed hackers might want to reach, and take the necessary precautions.
This year, news sites around the world have been subjected to a barrage of these attacks, in which hackers compromise sites that are popular among groups of people they wish to target.
Earlier this month, cybersecurity firm ESET revealed that it had detected a series of ‘watering hole’ attacks targeting media and government websites based in or relating to the Middle East. According to ESET’s incident report, London-based news site Middle East Eye was infected between January to August 2021.
Other news websites hit by watering hole attacks include Daily NK – run by North Korean dissidents and defectors – which was targeted from late March to June 2021, according to security company Volexity. In August, researchers at Google’s Threat Analysis Group revealed details of a watering hole campaign targeting pro-democracy media outlets based in Hong Kong.
Watering hole attacks allow hackers to target groups of people, rather than specific individuals. “Whilst spear-phishing operations allow threat actors to target specific individuals, watering hole attacks are less direct and will target anyone visiting an infected website, which may or may not include the intended targets for threat actors,” says Clement Briens, threat intelligence lead at Orpheus Cyber. “Watering hole attacks are typically used when trying to compromise victims fitting a certain profile, rather than specific individuals.”
Watering hole attacks are typically used when trying to compromise victims fitting a certain profile, rather than specific individuals.
Clement Briens, Orpheus Cyber.
The political nature of these targeted sites strongly implies the attackers are state-backed operatives seeking to compromise political opponents. Volexity attributed the NK Daily attack to a North Korean advanced persistent threat group called ‘InkySquid’, while ESET believes “there is a significant likelihood” that Middle East attacks were perpetrated by “customers of Candiru”. Candiru is an Israeli spyware firm that was recently blacklisted by the US Department of Commerce for threatening the cybersecurity of civil society members, dissidents, government officials, and organisations across the globe.
How do watering hole cyberattacks work?
In most cases, watering hole attacks work by injecting a site with malicious HTML or JavaScript code which redirects visitors to a spoofed website loaded with malware. According to Chris Kubecka, distinguished chair of the Middle East Institute’s Cyber Program, watering hole attacks are relatively easy to carry out because internet browsers run these scripts by default. “These can be nice scripts like making the page look nice, run ads, and collect information legitimately,” she says. “Or [it can be] nasty scripts which ruin your day, steal your information, or allow an attacker to view your webcam or listen in on your microphone.”
News websites are particularly vulnerable, says Briens, as they are likely to contain vulnerabilities susceptible to “cross-site-scripting and cross-frame-scripting” attacks, which take advantage of embedded media and comment sections.
According to the UK’s National Cyber Security Centre, watering hole attacks often trick victims into downloading a remote access Trojan, which, in turn, gives them access to the compromised device.
Many of the watering hole attacks that have emerged in recent months exploit zero-day vulnerabilities in software and devices. The attacks on media and pro-democracy outlets in Hong Kong, for example, took advantage of zero-day flaws in iPhone and Mac devices, according to Google’s researchers.
Indeed, the increase in attacks may reflect an uptick in zero-day exploits. According to the Zero Day Tracking Project, the number of zero-day exploits detected this year has been the highest in the past five years, with the total number found in 2021 so far twice the number detected last year. (Some experts argue that this could reflect the increased rate of detection of zero-day flaws by security researchers, however).
How can organisations protect against watering hole attacks?
For Briens, companies should consider whether they have an audience that hackers might want to reach. “Who would realistically attempt to compromise your organisation? For what motive? Are there recent examples of threat actors breaching organisations like yours? What techniques are these threat actors using?” he says. “Answering these questions will allow organisations to effectively prioritise and implement cybersecurity controls.”
For organisations that serve vulnerable and politically sensitive audiences, now is the time to consider these questions, as there are signs that watering hole attacks may return in the near future. In its analysis of watering hole attacks on Middle East targets, ESET warned that they may soon be on the increase. “At the time of writing, it seems that the operators are taking a pause, probably in order to retool and make their campaign stealthier. We expect to see them back in the ensuing months.”