Cybersecurity researchers today uncovered new details of watering hole attacks against the Kurdish community in Syria and Turkey for surveillance and intelligence exfiltration purposes.
The advanced persistent threat behind the operation, called StrongPity, has retooled with new tactics to control compromised machines, cybersecurity firm Bitdefender said in a report shared with The Hacker News.
“Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanised popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking,” the researchers said.
With the timestamps of the analysed malware samples used in the campaign coinciding with the Turkish offensive into north-eastern Syria (codenamed Operation Peace Spring) last October, Bitdefender said the attacks could have been politically motivated.
Using Tainted Installers to Drop Malware
StrongPity (or Promethium) was first publicly reported on in October 2016 after attacks against users in Belgium and Italy that used watering holes to deliver malicious versions of WinRAR and TrueCrypt file encryption software.
Since then, the APT has been linked to a 2018 operation that abused Türk Telekom’s network to redirect hundreds of users in Turkey and Syria to malicious StrongPity versions of authentic software.
images from Hacker News