About 25 websites linked to the Kurdish minority were hacked in a watering hole attack designed to gather sensitive information over a year and a half.
French cybersecurity firm Sekoia, which revealed details of the company called SilentSelfie, described the set of intrusions as long-running, with the first signs of infection as early as December 2022.
The strategic web compromises are designed to provide four different variants of the information theft system, the report added.
“They ranged from the simplest, which simply stole the user’s location, to the more sophisticated, which recorded images from the selfie camera and forced selected users to install a malicious APK, ie. application used on Android,” security researchers Felix Eme and Maxim A. said in Wednesday’s report.
Targeted websites include the Kurdish press and media, the Rojava administration and its armed forces, websites associated with revolutionary far-left political parties and organizations in Turkey and the Kurdish regions. Sekoia told The Hacker News that the exact method by which these websites were hacked in the first place remains unclear.
The attacks have not been attributed to any known threat actors or actors, indicating the emergence of a new cluster of threats targeting the Kurdish community, previously highlighted by groups such as A strong pity and BladeHawk.
Earlier this year, Dutch security firm Hunt & Hackett also revealed that Kurdish websites in the Netherlands had been targeted by the Türkiye-nexus threat actor known as Sea turtle.
Watering attacks are characterized by the deployment of malicious JavaScript, which is responsible for collecting various types of information from site visitors, including their location, device data (such as the number of processors, battery status, browser language, etc.) and public IP addresses. address, among other things.
One variant of the spy script found on three websites (rojnews(.)news, hawarnews(.)com and targetplatform(.)net.) was also observed to redirect users to fake Android APK files, while some others include the ability tracking users using a cookie called “sessionIdVal”.
The Android app, according to Sekoia’s analysis, embeds the website itself as a WebView and also secretly moves system information, contact lists, location and files located in external storage based on the permissions granted to it.
“It should be noted that this malicious code does not have any persistence mechanism, but only executes when the user opens the RojNews application,” the researchers noted.
“After the user opens the app, and after 10 seconds, the LocationHelper service starts sending a background signal to the URL rojnews(.)news/wp-includes/sitemaps/ via HTTP POST requests, sharing the user’s current location and waiting for commands to execute” .
Little is known about who is behind SilentSelfie, but Sekoia believes it could be the work of a hand Kurdistan Regional Government Iraq on the basis of the arrest of RojNews journalist Sileman Ehmed by DPK forces in October 2023. He was awarded to three years of imprisonment in July 2024.
“Although this watering hole campaign is unsophisticated, it is notable for the number of Kurdish websites affected and its duration,” the researchers said. “The campaign’s low level of sophistication suggests that this may be the work of an undisguised threat with limited capabilities and relatively new to the field.”
