Over the past year and a half, as many as 25 websites linked to the Kurdish minority have fallen victim to a sophisticated watering hole attack designed to steal sensitive information. This cyber espionage campaign, dubbed SilentSelfie, was uncovered by French cybersecurity firm Sekoia, which described the operation as long-running and strategic. The first signs of infection were detected in December 2022, highlighting the persistent nature of the attack.
The Watering Hole Attack and Its Tactics
Watering hole attacks are a type of cyberattack where hackers compromise specific websites commonly visited by a targeted group. Once a user visits the infected website, malicious code is executed on their device, often leading to the theft of sensitive information. In this case, the Kurdish community—particularly websites connected to Kurdish press, media outlets, political groups, and armed forces—has been the primary target.
Sekoia’s research uncovered that the SilentSelfie campaign used four different variants of an information-stealing framework. The sophistication of the attacks varied, ranging from stealing basic location data to more complex intrusions that accessed a user's selfie camera, recorded images, and led selected users to download a malicious Android APK file. This APK, once installed, acted as a tool to harvest detailed system information from Android devices, including contact lists, location data, and files stored in external storage.
Targeted Websites and Breach Methodology
Among the compromised websites were Kurdish news outlets such as RojNews and Hawar News, as well as others related to revolutionary political movements in Türkiye and Kurdish regions. The precise method by which these websites were initially breached remains uncertain. However, security researchers Felix Aimé and Maxime A from Sekoia noted that the level of infection across these sites indicates a concerted effort to infiltrate this community, pointing to an advanced and prolonged attack.
Sekoia also identified malicious JavaScript deployed on several compromised websites, which allowed hackers to gather a wide range of information from visitors, including device data, public IP addresses, battery status, and browser language. Some of the scripts redirected users to download malicious Android APK files, while others tracked users through a cookie labeled "sessionIdVal".
The Role of Malicious APKs
One of the more insidious aspects of the SilentSelfie campaign was the deployment of malicious APK files. When users downloaded and installed the APK, it embedded the targeted website into a WebView, enabling the hackers to continue stealing data while appearing legitimate. The app collected extensive data from infected devices, including the user’s location, contact lists, and files stored in external storage.
While the malicious code did not have a persistence mechanism—meaning it didn’t automatically execute upon device startup—it was triggered each time the user opened the compromised RojNews application. After a brief 10-second delay, the app initiated a LocationHelper service that transmitted the user’s location to a URL linked to the RojNews website, allowing hackers to issue commands to the device.
Attribution and Threat Actors
Despite the extensive investigation, the SilentSelfie campaign has not yet been attributed to any known hacking groups. However, Sekoia researchers have suggested a possible connection to the Kurdistan Regional Government of Iraq based on the arrest of RojNews journalist Silêman Ehmed in October 2023 by the Kurdistan Democratic Party (KDP) forces. Ehmed was sentenced to three years in prison in July 2024, raising suspicions that the campaign could be linked to political motivations.
This hypothesis aligns with past incidents where Kurdish websites were targeted. For example, earlier in 2024, Dutch security firm Hunt & Hackett uncovered a similar watering hole attack that affected Kurdish websites in the Netherlands. This attack was attributed to Sea Turtle, a threat actor with connections to Türkiye. While there is no direct evidence linking the SilentSelfie campaign to Sea Turtle, both incidents suggest a pattern of politically motivated cyberattacks targeting the Kurdish minority.
Low Sophistication, High Impact
Despite the large scale of the SilentSelfie campaign, Sekoia researchers described the attack as “low sophistication.” The information-stealing framework lacked advanced persistence mechanisms or other highly sophisticated techniques commonly seen in modern cyber espionage campaigns. Nevertheless, the sheer number of websites compromised and the campaign’s long duration—spanning more than 18 months—underscore its significance.
The researchers emphasized that although the campaign appeared to be the work of an emerging or less experienced threat actor, its impact on the Kurdish community was substantial. The extended timeline of the attack allowed the perpetrators to gather sensitive data on users visiting these websites, potentially aiding in the surveillance and targeting of political dissidents or minority groups.
Conclusion
The SilentSelfie watering hole attack is a stark reminder of the vulnerabilities faced by minority communities in the digital age. While the attack may not be as technically advanced as others, its scale and duration make it a significant threat, particularly to the Kurdish community. As cyberattacks become increasingly political, vigilance and cybersecurity measures must be strengthened to protect at-risk groups from such targeted campaigns.
Although the exact identity of the attackers behind SilentSelfie remains unclear, the attack's focus on Kurdish websites and political entities suggests that this emerging threat cluster may have broader geopolitical motivations. As this campaign continues to evolve, cybersecurity experts will need to remain alert to further developments and potential connections to known threat actors.
.png)
