VIEW 32
The watering hole attack
Lions may be the kings of the jungle, but they are also very lazy… and not just because they allow lionesses to do most of the work when hunting. However, what one person might see as “lazy” another might interpret as being “efficient” (an argument familiar to most married couples). Lions have developed a particularly efficient way of capturing prey, known as the watering hole attack. Rather than chase prey all over the veldt, they hide near a watering hole in the knowledge that the prey will come to them if they wait. All animals need water, and at dawn and dusk they will gather round a watering hole to drink, offering up an easy target to predators.
Big-game hunters in Victorian times used a similar tactic, lurking near a watering hole to bag their trophies. These days the “shooting” can be photographic rather than kinetic.
This explains the large number of gorgeous “watering hole at dusk” photos, like the one on the right, that you will find on the internet. This tactic works just as well in cyber space as on safari.
The cyber version of a watering hole attack is based on commonly visited websites. Rather than actively pursuing victims with a spear phishing email campaign, hackers infect websites that are of common interest to their intended targets and redirect them to malware.
The first known use of this tactic was all the way back in 2012, when the website of the US Council on Foreign Relations was infected with malware through a zero-day vulnerability in Microsoft Internet Explorer.
Notably, it was only deployed to users whose browser was set to particular languages: English, Chinese, Japanese, Korean, and Russian. Clearly, the threat actor had specific targets in mind.
Watering hole attacks have been successfully deployed on a wide range of websites. Examples include discussion forums for software development, NGOs, Christian charities, aviation organizations, financial supervision authorities, government departments, and industrial control systems. They are difficult to detect and typically target highly secure organizations through their less secure business partners, subcontractors, or other connected suppliers. They are effective because they compromise legitimate websites that are difficult to blacklist because they are job related. It’s hard to tell a compliance officer in a bank that they are banned from visiting a financial regulator’s website.
Anti-phishing training is successfully teaching people not to click on malicious links in emails, but everyone is still visiting large numbers of websites every day. If phishing is like slipping poison into someone’s coffee, then a watering hole attack is poisoning the whole town’s water supply. In the former there is some uncertainty as to whether they will drink it, in the latter it’s only a matter of time. In the past, watering hole attacks have generally been used by nation states looking to gain sensitive intellectual property, but in the future, they may become more common with cyber criminals looking for scale and fast results.
