The cybersecurity firm Lookout said it discovered Houthi-aligned hackers spying on Middle Eastern militaries with a surveillance tool that leverages Meta’s WhatsApp to infiltrate victims’ devices.
The spying tool lets hackers collect photos, documents, location info and Wi-Fi configuration details, according to Lookout’s Alemdar Islamoglu and Kyle Schmittle in a new report.
Lookout says the cyberespionage tools deployed by Houthi-aligned attackers provide a new window into the ragtag rebels’ transformation into a fighting force that has provoked international attention.
Targets of the hackers’ GuardZoo surveillance malware included more than 450 IP addresses belonging to victims in Yemen, Saudi Arabia, Egypt, Oman, the United Arab Emirates, Qatar and Turkey.
Lookout said it believes an unnamed “Yemeni, Houthi-aligned threat actor” is responsible for the malicious cyber campaign.
“We couldn’t attribute GuardZoo to a known threat actor yet. We are tracking it as an unnamed threat cluster until we can determine if it’s a new campaign by a known actor or a new actor,” Lookout’s threat intelligence team told The Washington Times.
The hacking campaign began in 2019 and remains active, according to Lookout. The hackers have used lures that include apps with military emblems of Yemen and Saudi Arabia and a religious-themed prayer.
“Lookout telemetry indicates most of the detections happened in Yemen,” Lookout’s report said. “The file paths on devices where GuardZoo samples were detected reveal initial infection vectors via WhatsApp, WhatsApp Business and browser download.”
Increased vigilance about clicking on suspicious links can help potential victims guard against hackers trying to trick them on WhatsApp’s platform.
WhatsApp told The Times it strongly recommends that users block and report suspicious messages, don’t click on links or share personal information with strangers, and turn on two-step verification for extra security.
A command and control server used in the hacking campaign contained code that was written mostly in English with the exception of some Arabic, and the time zone of the project was set to “Asia/Baghdad.”
Lookout said some infected devices appeared to belong to “Pro-Hadi forces” and the content of one exfiltrated document translated to “Very Confidential, Republic of Yemen, Ministry of Defense, Chief of the General Staff, War Operations Department, Insurance division.”
Yemen didn’t immediately respond to a request for comment.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.