A hacking group known as OilAlpha with likely ties to Yemen’s Houthi movement has targeted humanitarian groups, media outlets and nonprofits in the Arabian Peninsula via WhatsApp as part of a digital espionage campaign, according to a new report by cybersecurity firm Recorded Future.
From April to May 2022, just as Saudi Arabia hosted negotiations between Yemeni leaders involved in the nearly decade-long civil war, OilAlpha sent malicious Android files through WhatsApp to political representatives and journalists, the firm noted. The hacking group appears to favor using the remote access tools to install mobile spyware such as SpyNote and SpyMax.
The firm said that OilAlpha will likely continue using malicious Android-based apps to “target entities that share an interest in Yemen’s political and security developments and the humanitarian and NGO sectors that operate in Yemen.”
Both SpyNote and SpyMax include the ability to access “call logs, SMS data, contact information, network information, access to the device’s camera and audio, as well as GPS location data, among others,” the report noted. OilAlpha’s similarly focuses on Android phones that are more widely available in the region.
Recorded Future has not attributed OilAlpha to the Houthi movement.
Recorded Future does not have any indication of how successful OilAlpha’s operations have been since it started tracking the outfit. The firm believes the group has also spoofed Saudi Arabian organizations such as the King Khalid Foundation, King Salman Humanitarian Aid and Relief Centre and Project MASAM that removes landmines in the region, the report noted after finding icons with those organizations in the malware.
Recorded Future also said the group also spoofed applications of nongovernmental organizations such as the United Nations Children’s Emergency Fund, the Norwegian Refugee Council and the Red Crescent Society. All of these organizations either conduct or coordinate disaster response and humanitarian work in Yemen.
“Barring the discovery of new information or broader geostrategic shifts, OilAlpha is likely to continue to use malicious Android-based applications to target entities that share an interest in Yemen’s political and security developments and the humanitarian and NGO sectors that operate in Yemen,” Recorded Future said.
The group appears to have done little to hide its infrastructure. OilAlpha mostly used Yemeni-owned Public Telecommunication Corporation that is likely under the control of Houthi authorities, Recorded Future said. Additionally, the group almost exclusively used dynamic DNS, which served as another indicator for attribution, Recorded Future noted.
The company said that it couldn’t ascertain why the group relied on infrastructure with seemingly poor operational security, but could not find any corresponding evidence that points to hacked infrastructure or a false flag.
“We can’t ascertain that there hasn’t been some form of compromise of those assets and therefor foreign threat actors are using them,” said Jon Condra, director of strategic and persistent threats at Insikt Group at Recorded Future. “We can’t ascertain whether they’re actually maybe selling their infrastructure so it could be somebody else using it on purpose to assist, potentially obviously, with their knowledge against targets of their interests.”
Recorded Future noted that there is insufficient evidence to definitely say whether Yemeni operatives are responsible for OilAlpha’s campaign or whether other threat groups in the region may be behind the ongoing campaign.
“External threat actors like Lebanese or Iraqi Hezbollah, or even Iranian operators supporting the [Islamic Revolutionary Guard Corps], may have led this threat activity,” notes Recorded Future, based on the fact that these groups have a vested interest in the outcome of the civil war.