How cyberwarfare is playing into Yemen’s civil war

As the Yemeni conflict gains greater attention in Washington, new research highlights how cyber operations have become intrinsic to kinetic wars.
Yemen war
A heavily armed policeman guards an archaeological site in the district of Marib, Yemen. A new report from Recorded Future looks at the cyberwarfare tactics used in the country's bloody civil conflict. (Getty)

The war in Yemen has been accompanied by a digital conflict in which combatants have used surveillance and cryptocurrency to their strategic advantage, new research shows.

“[T]he dynamics of the Yemeni civil war are manifesting themselves online through a struggle over Yemeni access, use, and control of the internet,” Boston-based Recorded Future wrote in a blog post about the research on Wednesday.

As the Yemeni conflict gains greater attention in Washington, the research highlights how cyber-operations have become intrinsic to kinetic wars. In Yemen, the internet has become “another front,” Recorded Future threat intelligence analyst Allan Liska told CyberScoop.

The conflict, which has left tens of thousands of people dead and created a widespread famine, has been fought by Houthi rebels, backed by Iran, and the Hadi government, supported by Saudi Arabia. U.S. intelligence and weapons have been used by the Saudi-led coalition.


The new research highlights the digital portion of the conflict. When the Houthis seized Yemen’s capital of Sanaa in 2014, they also took control of the country’s internet backbone, updating Yemeni government websites to reflect their agenda.

“Seizing control of the internet assets lends a legitimacy to the Houthi forces that otherwise wouldn’t be there,” Liska told CyberScoop. “They’re still not internationally recognized, but within country they have that legitimacy.”

To counter the Houthi-controlled YemenNet, the Hadi government set up their own internet service provider (ISP), known as AdenNet, in June.

Recorded Future’s study of both ISPs turned up vulnerabilities that were ripe for exploitation. For example, YemenNet had a firmware backdoor in a router made by Chinese company Tenda.

“If the name server is connected to other infrastructure within YemenNet, which it is likely to be, both state and non-state attackers could leverage this backdoor to infiltrate the ISP,” the researchers wrote in a blog.


The inception of AdenNet coincided with a spike in software samples from Yemen that were submitted to the VirusTotal platform. While just 13 such samples were found between 2015 and 2017, 164 samples showed up in 2018, about half of which were malicious. Researchers did not find a clear cause for that swell in malware, but said it could be because of greater threat activity or the fact that AdenNet increased internet connectivity in Yemen.

Winnona DeSombre, a threat intelligence researcher at Recorded Future, told CyberScoop that it is unclear if the malware observed has been used for either criminal or espionage purposes in Yemen. However, “the intent for criminals to take advantage of people in a warzone, as well as nation-states to do espionage … is there,” she said.

The Yemeni war has featured other modern cybertools such as cryptocurrency. As the conflict grinds through its fourth year, evidence suggests that the Houthi rebels have turned to cryptocurrency to raise money. The Recorded Future team found 973 hosts of the Coinhive mining service on YemenNet, the majority of which are based in the Houthi stronghold of Sanaa.

DeSombre compared the Houthi cryptocurrency scheme to those of the North Korean government.

“This is another particularly internationally isolated regime trying to use alternative currencies to bolster themselves economically,” DeSombre said at CYBERWARCON conference in Arlington, Virginia, where Recorded Future presented its research.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts