Cyber security company “Recorded Future” revealed the targeting of a hacker group known as “OilAlpha” -which is likely to have links to the Houthi group in Yemen- non-gover organizations, media, and journalists in the Arabian Peninsula.
The company noted that from April to May 2022, at a time when Saudi Arabia was hosting negotiations between Yemeni leaders involved in the war, OilAlpha sent malicious Android files via WhatsApp to political representatives and journalists. To install spyware such as SpyNote and SpyMax, using social engineering.
SpyNote and SpyMax both include the ability to access: call logs, SMS messages, contact information, network information, access to the device’s camera and audio, as well as GPS location data.
The attack began with targets – political actors, media personalities and journalists – who received APK files from WhatsApp accounts using phone numbers belonging to Saudi Arabia through the apps as belonging to UNICEF, NGOs and other relief organizations.
According to the report, the “pirates” impersonated Saudi organizations such as the King Khalid Foundation, the King Salman Center for Relief and Humanitarian Action, and the Masam Project, which removes land mines in the region. So are the United Nations Children’s Emergency Fund, the Norwegian Refugee Council and the Red Crescent Society.
The report indicated that the hacker group did little to hide its infrastructure. It mostly used the Yemen Public Telecommunications Company, which is likely under the control of the Houthi authorities.
“We cannot be sure that there was no form of assignment of those assets and therefore they are being used by the pirates.” “We can’t be sure if they’re actually selling their infrastructure, so it could be someone else intentionally using it to help, potentially obvious, with their knowledge against the targets of their interests.” According to the report.
The report also suggested that “external threat actors such as Lebanese or Iraqi Hezbollah, or even Iranian operators supporting [the Islamic Revolutionary Guard Corps], may have led this threat activity,” based on the fact that these groups have a vested interest in the outcome of the civil war.
OilAlpha is the new innovative name provided by Recorded Future for two overlapping groups that the company has previously tracked under the names TAG-41 and TAG-62 since April 2022.
The assessment that OilAlpha is acting on behalf of the Houthi group is based on the fact that the infrastructure used in the attacks is linked almost exclusively to a Yemeni telecom company under Houthi control.
The continued use of the company’s infrastructure does not exclude the possibility of attacks via an unknown third party. But Recorded Future indicated that it found no evidence to support this reasoning.
More about this source text
