Israeli spyware vendor Candiru, which was added to an economic blocklist by the U.S. government this month, is said to have reportedly waged “watering hole” attacks against high-profile entities in the U.K. and the Middle East, new findings reveal.
“The victimized websites belong to media outlets in the U.K., Yemen, and Saudi Arabia, as well as to Hezbollah; to government institutions in Iran (Ministry of Foreign Affairs), Syria (including the Ministry of Electricity), and Yemen (including the Ministries of Interior and Finance); to internet service providers in Yemen and Syria; and to aerospace/military technology companies in Italy and South Africa,” ESET said in a new report. “The attackers also created a website mimicking a medical trade fair in Germany.”
The strategic web compromises are believed to have occurred in two waves, the first commencing as early as March 2020 before ending in August 2020, and the second string of attacks beginning in January 2021 and lasting until early August 2021, when the targeted websites were stripped clean off the malicious scripts.
Watering hole attacks are a form of highly targeted intrusions in that they tend to infect a specific group of end-users by backdooring websites that members of the group are known to frequent with the goal of opening a gateway into their machines for follow-on exploitation activities.
“The compromised websites are only used as a jumping-off point to reach the final targets,” the Slovak cybersecurity firm said, linking the second wave to a threat actor tracked by Kaspersky as Karkadann citing overlaps in the tactics, techniques, and procedures (TTPs). The Russian company described the group as targeting government bodies and news outlets in the Middle East since at least October 2020.
The exact exploit and the final payload delivered remain unknown as yet. “This shows that the operators choose to narrow the focus of their operations and that they don’t want to burn their zero-day exploits,” ESET malware researcher Matthieu Faou said.
The campaign’s links to Candiru stems from the fact that some of the command-and-control servers utilized by the attackers are similar to domains previously identified as belonging to the Israeli company, not to mention feature browser-based remote code execution exploits in its arsenal, raising the possibility that “the operators of the watering holes are customers of Candiru.”
ESET noted that the attackers ceased operations at the end of July 2021, coinciding with the public disclosures about Candiru related to the use of multiple zero-day vulnerabilities in the Chrome browser to target victims located in Armenia. “It seems that the operators are taking a pause, probably in order to retool and make their campaign stealthier,” Faou said. “We expect to see them back in the ensuing months.”