Researchers catch Yemeni hackers spying on Middle East military phones
A Yemeni hacking group is eavesdropping on the phones of military personnel in the Middle East, the latest sign of how surveillance has gone mobile in conflicts across the world, researchers say.
In a report published Tuesday, researchers from the cybersecurity firm Lookout say hackers affiliated with Yemen’s Houthi movement — the militant group that controls of most of the country — have successfully infected surveillance software on phones belonging to more than 450 people in their home country as well as in Saudi Arabia, Egypt, Oman, the United Arab Emirates, Qatar and Turkey.
“It just shows how mobile as a threat really has made it into every conflict on Earth as a cyber target,” said Christoph Hebeisen, the director of security intelligence research at Lookout. “Yemen always seems like a small and not very advanced place, and they don’t have great means, yet they managed to create this kind of cyber weapon.”
The Houthi operation kicked off in 2019 and targets Android phones belonging to military personnel of interest to the group, Lookout said. It relies on a version of the Dendroid malware that leaked online a decade ago —dubbed GuardZoo — that can collect data from phones such as photos, documents and files related to marked locations, according to Lookout.
The Houthi movement came to international prominence in 2014 when it launched a military campaign against the then-government, causing its collapse and setting off a subsequent humanitarian crisis. The group is backed by Iran and has spent years fighting a Saudi-backed military force. More recently, the group has carried out crippling attacks on international shipping passing through the Strait of Hormuz in retaliation for Israel’s military campaign in Gaza.
The Houthis have in recent years embraced the use of cyber capabilities. Last year, researchers with Recorded Future observed a hacking group with likely ties to the Houthis carrying out a digital espionage campaign that relied on WhatsApp to send malicious lures to its targets.
The activity described in Tuesday’s Lookout report also relied on WhatsApp, in addition to direct browser downloads, to infect its targets, but Lookout said its researchers had not previously observed activity from the group behind the campaign. Of particular interest to the group are maps that might reveal the locations of military assets, said Lookout’s senior security researcher, Alemdar Islamoglu.
“The campaign mostly uses military themes to lure victims, but Lookout researchers also observed that religion and other themes are being used,” the report says, citing examples such as a religious-themed prayer app or military-themed apps.
Also on Tuesday, Recorded Future released a report on the likely pro-Houthi group it dubbed OilAlpha. The firm said the group continues to target humanitarian organizations in Yemen, with affected organizations including CARE International and the Norwegian Refugee Council.
This story was updated July 9, 2024, with details about a Recorded Future report.