Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

. This also makes the hacks harder to detect and research.Symantec. Internet Security Threat Report, April 2016, p. 38 https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

Defense techniques

Websites are often infected through zero-day vulnerabilities on browsers or other software. A defense against known vulnerabilities is to apply the latest software patches to remove the vulnerability that allowed the site to be infected. This is assisted by users to ensure that all of their software is running the latest version. An additional defense is for companies to monitor their websites and networks and then block traffic if malicious content is detected.

Examples

2012 US Council on Foreign Relations

In December 2012, the Council on Foreign Relations website was found to be infected with malware through a zero-day vulnerability in Microsoft's

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical web browsers developed by Microsoft which was used in the Windows line of operating systems ( ...

. In this attack, the malware was only deployed to users using Internet Explorer set to English, Chinese, Japanese, Korean and Russian.

2013 Havex ICS software supply chain attack

Havex Havex malware, also known as Backdoor.Oldrea, is a RAT employed by the Russian attributed APT group “ Energetic Bear” or “Dragonfly." Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. ...

was discovered in 2013 and is one of five known

Industrial Control System An industrial control system (ICS) is an electronic control system and associated instrumentation used for industrial process control. Control systems can range in size from a few modular panel-mounted controllers to large interconnected and in ...

(ICS) tailored malware developed in the past decade.

Energetic Bear Berserk Bear (aka Crouching Yeti, Dragonfly, Dragonfly 2.0, DYMALLOY, Energetic Bear, Havex, IRON LIBERTY, Koala, or TeamSpy) is a Russian cyber espionage group, sometimes known as an advanced persistent threat. According to the United States, the ...

began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

exploited supply chain and watering-hole attacks on ICS vendor software in addition to spear phishing campaigns to gain access to victim systems.

2013 US Department of Labor

In mid-early 2013, attackers used the

United States Department of Labor The United States Department of Labor (DOL) is one of the executive departments of the U.S. federal government. It is responsible for the administration of federal laws governing occupational safety and health, wage and hour standards, unemploy ...

website to gather information on users that visited the website. This attack specifically targeted users visiting pages with nuclear-related content.

2016 Polish banks

In late 2016, a Polish bank discovered malware on the institution's computers. It is believed that the source of this malware was the web server of the

Polish Financial Supervision Authority The Polish Financial Supervision Authority (PFSA) ( pl, Komisja Nadzoru Finansowego (KNF)) is the financial regulatory authority for Poland. Its responsibilities include oversight of banking, capital markets, insurance, pension scheme and electron ...

. There have been no reports on any financial losses as a result of this hack.

2017 Montreal-based International Civil Aviation Organization attack

There was an organization-level watering-hole attack in Montreal from 2016-2017 by an unknown entity causing a data breach.

2017 CCleaner attack

From August to September 2017, the installation binary of CCleaner distributed by the vendor's download servers included malware. CCleaner is a popular tool used to clean potentially unwanted files from Windows computers, widely used by security-minded users. The distributed installer binaries were signed with the developer's certificate making it likely that an attacker compromised the development or build environment and used this to insert malware.

2017 NotPetya attack

In June 2017, the

NotPetya Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents ...

(also known as ExPetr) malware, believed to have originated in Ukraine, compromised a Ukrainian government website. The

attack vector In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack ve ...

was from users of the site downloading it. The malware erases the contents of victims' hard drives.

2018 Chinese country-level attack

There was a country-level watering-hole attack in China from late 2017 into March 2018, by the group "LuckyMouse" also known as "Iron Tiger", "EmissaryPanda", "

APT Apt. is an abbreviation for apartment. Apt may also refer to: Places * Apt Cathedral, a former cathedral, and national monument of France, in the town of Apt in Provence * Apt, Vaucluse, a commune of the Vaucluse département of France * A ...

27" and "Threat Group-3390."

2019 Holy Water Campaign

In 2019, a watering-hole attack, called Holy Water Campaign, targeted Asian religious and charity groups. Victims were prompted to update

Adobe Flash Adobe Flash (formerly Macromedia Flash and FutureSplash) is a multimedia software platform used for production of animations, rich web applications, desktop applications, mobile apps, mobile games, and embedded web browser video players. Fla ...

which triggered the attack. It was creative and distinct due to its fast evolution. Motive remains unclear. Experts provided a detailed technical analysis along with a long list of Indicators of Compromise (IoCs) involved in the campaign, but none could be traced back to an Advanced Persistent Threat.

References

{{reflist Types of malware