As many as 25 web sites linked to the Kurdish minority have been compromised as a part of a watering gap assault designed to reap delicate info for over a yr and a half.
French cybersecurity agency Sekoia, which disclosed particulars of the marketing campaign dubbed SilentSelfie, described the intrusion set as long-running, with first indicators of an infection detected way back to December 2022.
The strategic net compromises are designed to ship 4 completely different variants of an information-stealing framework, it added.
“These ranged from the simplest, which merely stole the user’s location, to more complex ones that recorded images from the selfie camera and led selected users to install a malicious APK, i.e an application used on Android,” safety researchers Felix Aimé and Maxime A stated in a Wednesday report.
Focused web sites embrace Kurdish press and media, Rojava administration and its armed forces, these associated to revolutionary far-left political events and organizations in Türkiye and Kurdish areas. Sekoia advised The Hacker Information that the precise technique by which these web sites have been breached within the first place stays unsure.
The assaults haven’t been attributed to any recognized menace actor or entity, indicating the emergence of a brand new menace cluster concentrating on the Kurdish neighborhood, which has been beforehand singled out by teams like StrongPity and BladeHawk.
Earlier this yr, Dutch safety agency Hunt & Hackett additionally revealed that Kurdish web sites within the Netherlands have been singled out by a Türkiye-nexus menace actor often called Sea Turtle.
The watering gap assaults are characterised by the deployment of a malicious JavaScript that is accountable for gathering varied sorts of data from web site guests, together with their location, machine information (e.g., variety of CPUs, battery standing, browser language, and so forth.), and public IP deal with, amongst others.
One variant of the reconnaissance script discovered on three web sites (rojnews[.]information, hawarnews[.]com, and targetplatform[.]internet.) has additionally been noticed redirecting customers to rogue Android APK recordsdata, whereas some others embrace the flexibility for consumer monitoring by way of a cookie named “sessionIdVal.”
The Android app, per Sekoia’s evaluation, embeds the web site itself as a WebView, whereas additionally clandestinely hoovering system info, contact lists, location, and recordsdata current within the exterior storage primarily based on the permissions granted to it.
“It is worth noting that this malicious code doesn’t have any persistence mechanism but is only executed when the user opens the RojNews application,” the researchers identified.
“Once the user opens the application, and after 10 seconds, the LocationHelper service starts beaconning the background to the URL rojnews[.]news/wp-includes/sitemaps/ via HTTP POST requests, sharing the current location of the user and waiting for commands to execute.”
Not a lot is understood about who’s behind SilentSelfie, however Sekoia has assessed that it could possibly be the handiwork of the Kurdistan Regional Authorities of Iraq primarily based on the arrest of RojNews journalist Silêman Ehmed by KDP forces in October 2023. He was sentenced to a few years in jail in July 2024.
“Even though this watering hole campaign is of low sophistication, it is notable for the number of kurdish websites affected and its duration,” the researchers stated. “The campaign’s low level of sophistication suggests it might be the work of an uncovered threat actor with limited capabilities and relatively new to the field.”
