Watering Hole Attacks

A watering hole attack is one way that hackers can go after an individual organization or type of organization. Unlike a phishing attack it is designed to infect websites that people are known to frequent based upon where they work. For example, they could infect the website of a delivery pizza service near the bank or another intended target. Or they could infect a website that lawyers might frequent, like the county civil court. A watering hole attack too can work when phishing is not working, because employees have been carefully trained to look out for that.

The watering hole principle is target to the weakest link, an approach that has been shown to work in cyber or any kind of attack. The term “watering hole” means a bar people frequent as well as a source of water where animals can drink.

If the target is a bank - who presumably has the best security available - then one way to attack the bank is to attack websites bank employees use. Then they can download malware onto the employee’s computer and proceed to attack other computers and networks from there.

A waterhole attack can be part of a advanced persistent threat (APT). In this type of attack the hacker spends time profiling their victims and months or even years probing their defenses. An APT attack is usually launched against an organization that is well defended.

The hacker studies the watering hole web sites and looks for ones that have some vulnerability. Then they can change the HTML and JavaScript code to load pages or section of pages from websites where they have installed malware. The malware can then user zero-day flaws in browser plugins like Adobe or other techniques like hiding JavaScript in png image files.

watering hole attack

Security Week reports that Chinese hackers attacked Forbes.com this way. They put their malware in the “Thought of the Day” popup, which anyone who visits Forbes is familiar with as it is the first page to pop up. The hackers were looking to attack individuals in the financial services industry. The malware they planted went after zero-day defects in Adobe Flash and IE.  The article did not say how the hackers infected the Forbes site.

The North Korean hacker group Lazarus was blamed this month for using this approach to plant very sophisticated malware which they used to target banks in Poland. This is the same hacker group that previously stole $81 million USD from a central bank in Bangladesh and attacked SONY Pictures after it made a film that mocked that country’s leadership. They planted their malware on the site of the Polish Financial Supervision Authority (KNF). There is concern in the banking industry that such a sophisticated group of hackers are apparently now going after banks, especially central banks. The attack in Bangladesh went after the SWIFT international payment system, which is not connected to the internet at all. It was not compromised directly, but systems connected to it, including manual ones, were.