Cybersecurity researchers tracked a hacking campaign spanning more than a year that hit around 20 websites – Israeli spyware vendor Candiru, recently blacklisted by the US, waged “watering hole” attacks on UK and Middle East websites critical of Saudi Arabia and others
A group of hackers compromised a popular London-based news website that focuses on the Middle East with the goal of hacking its visitors, according to researchers.
On Tuesday, cybersecurity firm ESET published a report detailing the hacking campaign, which spanned from March 2020 until August of this year. During this time, according to the report, hackers compromised around 20 websites, including Middle East Eye, a popular independent news site that covers the Middle East and Africa and is based in the UK.
The hackers compromised these websites in what are technically known as watering hole attacks, a type of cyberattack where hackers use legitimate websites to target people who visit them. In this case, the hackers did not target all visitors of the websites, but only specific ones, according to ESET.
“We were never able to get the final payload. So it shows that attackers are very careful in the selection of the targets,” Matthieu Faou, a researcher at ESET, told Motherboard in a phone call.
Because the researchers could not retrieve the malware, “we don’t know who are the final targets,” Faou said.
ESET researchers explained in the report that the hackers also compromised several government websites in Iran, Syria, and Yemen, as well as the sites of an Italian aerospace company and a South African government owned defense conglomerate—all websites with links to the Middle East. The hackers, according to ESET, may have been customers of the Israeli spyware vendor Candiru, a company that was recently put on a denylist by the US Government.
Candiru is one of the most mysterious spyware providers out there. The company has no website, and it has allegedly changed names several times. Candiru offers “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets,” according to a document seen by Haaretz. The Israeli newspaper was the first one to report Candiru’s existence in 2019. Since then, several cybersecurity companies and groups such as Kaspersky Lab, Microsoft, Google, and Citizen Lab, have tracked its malware.
