What is a watering hole attack?

08 January 2019

Watering hole attacks, also known as strategic website compromise attacks, target a particular group of victims by creating a sham website or compromising the legitimate websites they visit.

Criminals first build up a profile of their intended victims, such as employees of corporates or government agencies, identifying popular or niche websites they visit.

Then, much like watering holes in nature, the hackers lurk in wait to snag their prey. They do this by using vulnerabilities in the malware, malicious script or code to redirect the target to a separate site that infects the target with injected malware. Once a visitor to the website is infected, the malware gives hackers access to their network, enabling them to steal sensitive data or take control of IT systems.

Watering hole attacks are more sophisticated than common spear-phishing attacks and are usually associated with advanced persistent threat (APT) groups.

Watering hole tactics can be combined with spear phishing, malware, and domain hijackings. They tend to target specific industries or groups with the aim of stealing valuable data, such as trade secrets or research. The attack method, however, is also used by cyber criminals to compromise popular consumer websites for financial gain or to build botnet armies.

 Sign up to our latest  news & insights Sign up to our latest  news & insights

Why does it matter?

Watering hole attacks pose a significant threat, as they are difficult to detect and typically target high-security organisations through their low-security employees, vendors or an unsecured wireless network. As already mentioned, they have been increasingly used by APT groups to access the networks of large companies and government agencies or political groups.

In 2014, a watering hole attack on US news site Forbes.com, which exploited vulnerabilities in Adobe Flash and Microsoft’s Internet Explorer browser, is thought to have resulted in further attacks against US defence contractors and financial services companies. The attacks were believed to be the work of Chinese state espionage organisations, according to cyber security services company iSight.

ESET cyber security researchers recently discovered a new watering hole campaign targeting several websites in Southeast Asia by cyber espionage group OceanLotus. The campaign was large scale, involving at least 21 compromised websites, including the Ministry of Defence in Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper or blog websites.

Earlier in 2018, researchers at Morphisec uncovered a watering hole attack on leading Hong Kong Telecom website. More recently, Australian foreign affairs think tank, the Lowy Institute, was the subject of a watering hole attack from China. The attack appears to mirror a Chinese campaign against think tanks in the United States.

A watering hole attack was used by Chinese hackers to steal intellectual property and industrial trade secrets from US aerospace contractors. In October 2018, US federal prosecutors accused Chinese government intelligence officers of repeated computer intrusions to steal turbofan jet engine designs.

The hackers created a domain name that resembled the target company, Capstone Turbines, site. These organisations subsequently made related organisations mistakenly visit the false site infected with malware that made their own networks vulnerable.

Download Cyber Decoder

For more information please contact Sarah Stephens, Head of Cyber on +44 (0)203 394 0486.