A hacker group, OilAlpha, which appears to support Houthis in Yemen has targeted humanitarian and international organizations in the Arabian Peninsula via using phishing techniques on WhatsApp. The threat actors are allegedly focused on organizations connected to media, non-governmental activities, international humanitarian efforts, and development sectors. It is nearly certain that the targeted entities had common interests in Yemen, security, humanitarian aid, and reconstruction initiatives. The attack was reported by a Cybersecurity firm that had been tracking OilAlpha’s ongoing hacking campaign since May 2022.
Subscribe to Our Newsletter On Linkedin
Sign up to Stay Tuned with the Latest Cyber Security News and Updates
Recorded Future’s threat research division, Insikt Group has followed OilAlpha’s activities and has claimed that they have targeted people who are pro-Saudi Arabian government-led negotiations. They are using spoofed Android applications impersonating organizations working with the UAE humanitarian entity and the Saudi Arabian government along with others.
You can also read – WhatsApp Phishing: Rising Threat Via Instant Messaging App
Inskit suspects OilAlpha is pro-Houthis as the phisher aimed to target only those individuals whom Houthis desired to engage with directly.
How did OilAlpha Carry Out Phishing Attacks Through WhatsApp?
OilAlpha sent malicious Android files to political representatives and Journalists on WhatsApp. The personnel was part of the negotiation hosted by Saudi Arabia from April to May 2022 between Yemini leaders involved in the nearly decade-long civil war. The hacking group target Android phones which people in the region widely use. Let us see how they sent the malicious files.
- OilAlpha has used an infrastructure owned by the Yemeni government known as the Public Telecommunications Corporation (PTC) which is famously known to be under the direct control of Houthi authorities.
- The phishers group launched a phishing campaign through WhatsApp which is an encrypted chat messenger.
- The phishing campaign was carried out using URL shorteners in the messages on Android devices and the victims were Arabic-language speakers.
- The messages contain long Arabic messages and a WhatsApp documents file that had a malicious link along with an image of a government document.
Here is a free tool to check any suspicious link : Phishing URL Checker
It has been claimed that the njRAT samples are in touch with C2s associated with this group which indicates that it may continue using other malware for operating attacks. It seems that the attackers may target individuals and entities supporting Yemen’s political and security developments along with other non-governmental organizations operating in the country.
OilAlpha was more likely planning espionage activities as they used Remote Access Tools (RATs) like SpyMax and SpyNote to execute this phishing attack. Both the RATs SpyNote and SpyMax can be very harmful as they have the ability to access the device’s camera and audio, SMS data, call logs, network information, contact information, and GPS location data.
Not just the journalist and political representatives, the hackers’ group have also targeted non-governmental organizations that conduct or coordinated disaster response and human work in Yemen. OilAlpha has spoofed applications of organizations such as the Norwegian Refugee Council, the United Nations Children’s Emergency Fund, and the Red Crescent Society. However, the group appears to have purposely didn’t give any effort to hide its infrastructure. The group’s exclusive use of dynamic DNS further provides a significant clue for attribution purposes.
Did OilAlpha Succeed in its Operations?
There is no such representation of how successful OilAlpha got in the ongoing campaign but it has been alleged that the hacker group has also spoofed other Saudi Arabian firms after noticing the icons of entities in the malware. The organizations include King Salman Humanitarian Aid, King Khalid Foundation, Relief Centre, and Project MASAM.
The applications of organizations that manage disaster and humanitarian work in Yemen were also attacked by the OilAlpha such as Norwegian Refugee Council, Red Crescent Society, and the United Nations Children’s Emergency Fund.
The report mentioned that there is still a lot more to find out to back up that back Yemeni operatives are behind the ongoing phishing campaign by OilAlpha. John Condra, Director of Strategic and Persistent Threats at Insikt Group said, “Uncertainly, it is difficult to determine if there has been any compromise of those assets and consequently, it is possible that foreign threat actors are utilizing them.”
He further stated that it is not clear yet that they are selling their infrastructure to other attackers and may be using it to target individuals of their interest. Outsiders like Iraqi Hezbollah, and Iranian and Lebanese hackers are favoring Islamic Revolutionary Guard Corps as they have a vested interest in the outcome of the civil war, which resulted in this threat.
How can Organizations Prevent WhatsApp Phishing Attacks?
To prevent phishing attacks through WhatsApp, organizations should prioritize employee awareness and training, educating them about the risks associated with WhatsApp phishing and providing guidance on identifying and handling suspicious messages. Organizations must employ WhatsApp phishing simulation and awareness training solutions to transform their employees into the strongest defense against such attacks.
Implementing strong security policies, including the use of strong passwords and discouraging the sharing of sensitive information, is crucial. Enabling two-factor authentication (2FA) adds an extra layer of security to WhatsApp accounts. Additionally, employees should verify the authenticity of senders before responding to messages, using alternative communication channels to confirm their identity when dealing with requests for sensitive information or financial transactions. These measures collectively enhance protection against phishing attacks on WhatsApp.
FAQs: WhatsApp phishing attack on Yemen-Related Entities
Attack vector refers to the method or entry point through which the hacker tries to deploy malware so it can be executed to gain access to a system or server. OilAlpha employed one of the most common social engineering techniques phishing through WhatsApp. The hacker sent messages containing long Arabic messages and a documents file that had a malicious link.
There is no such representation of how successful OilAlpha got in the ongoing campaign. But as they used tools like SpyMax and SpyNote to execute this phishing attack, it can be said that they may have the ability to access the device’s camera and audio, SMS data, call logs, network information, contact information, and GPS location data.
There is not much information available about the OilAlpha hacker group. Insikt Group has followed OilAlpha’s activities and has claimed that they have targeted people who are pro-Saudi Arabian government-led negotiations. It appears to support Houthis in Yemen and has targeted humanitarian and international organizations in the Arabian Peninsula via using phishing techniques on WhatsApp.
The hacker group has also spoofed other Saudi Arabian firms after noticing the icons of entities in the malware. The organizations include King Salman Humanitarian Aid, King Khalid Foundation, Relief Centre, and Project MASAM. The applications of organizations that manage disaster and humanitarian work in Yemen were also attacked by the OilAlpha such as Norwegian Refugee Council, Red Crescent Society, and the United Nations Children’s Emergency Fund. It has also spoofed applications of organizations such as the Norwegian Refugee Council, the United Nations Children’s Emergency Fund, and the Red Crescent Society.
WhatsApp is the most downloaded and used messenger in the world and recent data suggests that there is almost a 40% rise in the usage of WhatsApp globally since the pandemic. Cybercriminals follow the trend and choose popular technology or app as they know cyberattacks can reach the masses faster than other apps.
Employees should be trained enough to recognize such phishing messages. These messages are unexpected and ask you to do something by making you feel emotional which is known as social engineering techniques. The employees should be aware of these methods used by cybercriminals. WhatsApp Phishing Simulation and Awareness Training can be the only way to protect your organization from WhatsApp phishing.