What is a watering hole attack, and how does it work?

What is a watering hole attack in cybersecurity?

A watering hole attack works by tricking a specific group of people, or an organization, into visiting malicious websites and downloading malware. Hackers will use a combination of social engineering, good research, and patience to lure unsuspecting victims into compromising their computer or device’s security. Once a hacker has a foothold in a victim’s computer, they can cause havoc to whichever network the computer is connected to. This is especially dangerous for large organizations that have hundreds of endpoints via their worker’s devices.

Now that users have been lured to a website, typically via an email socially engineered to make it as enticing to visit as possible, they’ll be prompted to download the malicious payload. Via research, the hackers can learn exactly what it takes to trick their target into clicking something they shouldn’t.

Hackers and cybercriminals are methodical and careful when it comes to their preparation for a watering hole cyberattack, and can often take weeks of planning. Hackers are known to wait for zero day browser releases to find any security exploits that may have been missed by the devs.

How does a watering hole attack work?

Watering hole attacks will always target a specific group, business, or organization. It’s easier to target a group of people that already have something in common, whether it’s shared love of a fan forum, or merely the fact that they all use the same website to connect to their virtual workspace. The shared interest makes it easier to create an all-encompassing attack. Once the group has been selected, the targeted attack is in motion.

1. Researching the victims

Hackers will look into every aspect of their victim’s online lives. Social media accounts, public work accounts, publicly available website data — it will all be used by a hacker to form the perfect attack vector. This step can also involve the use of malware, specifically keyloggers and spyware. The hackers will also identify which website is best to use as a staging ground for their attack.

2. Preparation

The website chosen will be picked apart and analyzed for the most effective way to trick users into clicking a link and downloading a malicious payload. Sometimes this can involve spoofing a legitimate website entirely. Other times, hackers can find a security exploit in the target website, and inject malicious code that will contain the malware itself, or secretly direct victims to a new, infected web page.

3. Attack

Now that the website and victims have been thoroughly studied and researched, the attack can begin. Many hackers will utilize drive-by downloads, where the victim’s computer becomes infected with malicious software without them knowing. Hackers looking to gain access to a business or organization’s network will use trojan malware to create a backdoor. Data can be stolen through that backdoor, and more malware can be injected.

What are the reasons for watering hole attacks?

The reasons behind a watering hole attack are similar to most motivations behind other cyberattacks. Sometimes a hacking group will be looking for financial gains, other times hackers will just want to cause disruption and mayhem for a specific group of people purely for the fun of it.

If a business has been attacked and their network compromised via a watering hole attack, hackers can leverage the data stolen to blackmail their victims. If the hackers have done their research well, they’ll choose to attack someone with lax cybersecurity, making their job all the easier. Remember that hackers are opportunistic and will always choose the easiest target.

Watering hole attack examples

Watering hole attacks have been fairly prominent over the past 15 years, with the first major attack orchestrated in 2012.

US Council on Foreign Relations attack

In December 2012, hackers exploited a zero day security flaw found in Microsoft’s latest Internet Explorer 8.0 release. The security exploit allowed hackers to target all Internet Explorer computers that were set in English, Russian, Chinese, Japanese, and Korean. Anyone who visited the Foreign Relations website during the attack would have been infected with Gh0st RAT spyware, a trojan that gave hackers backdoor access.

International Civil Aviation Organization (ICAO) attack

The ICAO website is used by nearly every airline and airport in the world. Once hackers had targeted and attacked their network, two ICAO servers were compromised, further spreading malware to other, connected websites. The attack took place in 2016 but was covered up until 2019, where it was revealed that around 2,000 users of the ICAO website were made vulnerable from exposed data.

Hong Kong protester attacks

During the widespread Hong Kong protests throughout 2021, Google’s Threat Analysis Group (TAG) discovered watering hole attacks designed to infect anyone visiting media sites that spoke in favor of the protests. The watering hole attacks specifically targeted Apple devices with a malware backdoor.

What’s the difference between a watering hole attack and a supply chain attack?

Where a watering hole attack relies on luring a group of people to a website, or part of a website, a supply chain attack focuses on a specific security weakness.

Supply chain attacks will identify the weakest part of an organization’s network, and use it as the main attack vector. This could be something as simple as a business vendor’s device being stolen and used without their knowledge. Bear in mind that a supply chain attack can start with a watering hole attack, but not all watering hole attacks are supply chain attacks.

How can you prevent watering hole attacks?

The best method to avoid watering hole attacks is knowledge. Hackers will rely on using socially engineered techniques to fool you. The techniques normally involve using incredibly charged language to set you on an edge, and you will be more likely to make a mistake in the heat of the moment.

Advanced antivirus software can recognize when a website is behaving out of the norm. Updating every endpoint with robust security, while also regularly educating users with the dangers that could be present, makes it much harder to become a victim of cybercrime.