Watering Hole Attack Targets Kurdish Websites with Malicious APKs and Spyware Distribution

Up to 25 websites associated with the Kurdish minority have been compromised in a watering hole attack aimed at harvesting sensitive information for more than 18 months. French cybersecurity firm Sekoia, which unveiled the campaign named SilentSelfie, described the attack as long-term, with initial signs of infection dating back to December 2022.

The strategic website compromises are used to distribute four different variants of an information-stealing framework, according to Sekoia.

“These ranged from basic operations, such as stealing the user’s location, to more sophisticated ones that captured images from the selfie camera and prompted selected users to install a malicious APK, an application for Android devices,” security researchers Felix Aimé and Maxime A explained in a report published on Wednesday.

The targeted websites include Kurdish press and media outlets, the Rojava administration and its armed forces, and sites related to revolutionary far-left political parties and organizations in Turkey and Kurdish regions. Sekoia informed The Hacker News that the initial method of compromise for these websites remains unclear.

The attacks have not been linked to any known threat actor, suggesting the emergence of a new threat group targeting the Kurdish community, which has previously been targeted by groups like StrongPity and BladeHawk.

Earlier this year, Dutch security firm Hunt & Hackett disclosed that Kurdish websites in the Netherlands were targeted by a Türkiye-linked threat actor called Sea Turtle.

The watering hole attacks involve the use of malicious JavaScript, which collects various types of information from visitors, including their location, device data (such as CPU count, battery status, and browser language), and public IP address, among other details.

One variant of the reconnaissance script discovered on three websites (rojnews[.]news, hawarnews[.]com, and targetplatform[.]net) has been observed redirecting users to malicious Android APK files. Additionally, some versions include functionality for user tracking via a cookie named “sessionIdVal.”

According to Sekoia’s analysis, the Android app integrates the website as a WebView while covertly collecting system information, contact lists, location data, and files stored in external storage based on the permissions granted to it.

“It’s important to note that this malicious code lacks a persistence mechanism and is only activated when the user opens the RojNews application,” the researchers highlighted.

Upon opening the app, a service called LocationHelper starts running after 10 seconds, sending the user’s current location to the URL rojnews[.]news/wp-includes/sitemaps/ via HTTP POST requests and awaiting further commands.

While the identity behind SilentSelfie remains unknown, Sekoia has speculated that it may be linked to the Kurdistan Regional Government of Iraq, referencing the arrest of RojNews journalist Silêman Ehmed by KDP forces in October 2023. He was sentenced to three years in prison in July 2024.

“Although the watering hole campaign is not highly sophisticated, it is significant due to the number of Kurdish websites affected and the campaign’s longevity,” the researchers stated. “The low level of sophistication indicates it may be the work of an emerging threat actor with limited capabilities and relatively little experience in the field.”