A hacker group, Candiru, has compromised Middle East Eye, a London-based popular news website focussing on the Middle East. According to researchers from cybersecurity company ESET, the breach aimed to hack the website’s visitors.
The firm published a report on Tuesday outlining the entire hacking campaign, which started back in March 2020 and has run until August of this year. The report goes on to state that the hackers attacked around 20 websites with the same aim.
The website was compromised with something known as a watering hole attack. According to the researchers, the hack only targeted specific visitors and not all traffic on the website. The incident is quite similar to the recent attack on a Hong Kong pro-democracy website discovered by Google’s Threat Analysis Group.
Links with the Middle East targeted
The researchers state that the same group also hacked several other government sites in Iran, Yemen and Syria, an Italian Aerospace’s site and a South African government-owned defence group. All targets had links to the Middle East.
The hackers seem to be customers of Candiru, a somewhat mysterious Israeli spyware provider which was recently put on the US’ denylist. The company has no website, has changed its name several times, and is known to offer a high-end intelligence platform specialising in attacking PCs, smartphones, and networks.
The domains used by the malware connect to Candiru servers, which led the researchers to conclude with medium confidence that the hackers are, in fact, customers of the spyware company. However, since the researchers couldn’t find and extract the full payload, it’s difficult to say who the actual targets were.
Candiru has been doing this for some time now. In July this year, Microsoft patched two vulnerabilities exploited by Candiru’s spyware after Citizen Labs reported that the company was selling spyware that could infect and monitor iPhones, Android, Macs, PCs and cloud accounts to governments.
The Middle East Eye has condemned the attack in a press release stating that the site is no longer under threat. The release goes on to state that, “at present, we are confident that this attack has not compromised our ability to bring investigative and original reporting from the region.”
Matthieu Faou, the author of ESET’s report, says he contacted some of the websites affected by the attack but didn’t receive any answers. According to him, none of the websites is currently impacted. It is unclear whether that’s because the site admins found the malware and removed it or the attackers cleaned up after themselves.