ESET researchers have developed a custom system to uncover watering-hole attacks on high-profile websites. This enabled us to discover campaigns from well-known cyberespionage groups such as Turla, Ocean Lotus, Evil Eye and APT37. Sometimes it is even more interesting when it leads to the discovery of a new threat actor.
Over the past two years, we uncovered strategic web compromises on more than twenty different high profile websites mainly located in the Middle East. Targets include Middle Eastern governments and media, European and African defense contractors, a media outlet based in the United Kingdom and a medical conference in Germany. We assess that this aligns with the activities of a threat group publicly known as Karkadann.
In order to blend into the vast number of legitimate scripts loaded by the compromised websites, Karkadann disguises its domains as analytics or URL shortener services. Sometimes they also re-register old and abandoned domains that were used by analytics platforms years ago. A close tracking of their network infrastructure allowed us to make a link with the recent Citizen Lab publication “Hooking Candiru”. We believe that Karkadann is what Citizen Lab named the “Saudi-Linked Cluster”. While we think these watering holes are operated in-house by the threat actor, it is very likely that they also are a customer of Candiru, an Israeli mercenary spyware firm.
In this presentation, we will provide a breakdown of the targeting, including the switch in 2021 to a focus on Yemen and entities linked to the war in Yemen. In addition, we will also provide a technical analysis of the scripts used to gather information on visitors to the compromised websites. In addition, we will show how they improved their infrastructure over the months to make the tracking more difficult and to prevent researchers from grabbing the exploits and payloads. Finally, we will show how the spyware firm Candiru fits into the whole picture.