Hackers Compromised Middle East Eye News Website to Hack Visitors, Researchers Say

A group of hackers compromised a popular London-based news website that focuses on the Middle East with the goal of hacking its visitors, according to researchers. 

On Tuesday, cybersecurity firm ESET published a report detailing the hacking campaign, which spanned from March 2020 until August of this year. During this time, according to the report, hackers compromised around 20 websites, including Middle East Eye, a popular independent news site that covers the Middle East and Africa and is based in the UK. 

The hackers compromised these websites in what are technically known as watering hole attacks, a type of cyberattack where hackers use legitimate websites to target people who visit them. In this case, the hackers did not target all visitors of the websites, but only specific ones, according to ESET.

“We were never able to get the final payload. So it shows that attackers are very careful in the selection of the targets,” Matthieu Faou, a researcher at ESET, told Motherboard in a phone call. 

Because the researchers could not retrieve the malware, “we don't know who are the final targets,” Faou said. 

ESET researchers explained in the report that the hackers also compromised several government websites in Iran, Syria, and Yemen, as well as the sites of an Italian aerospace company and a South African government owned defense conglomerate—all websites with links to the Middle East. The hackers, according to ESET, may have been customers of the Israeli spyware vendor Candiru, a company that was recently put on a denylist by the US Government. 

Candiru is one of the most mysterious spyware providers out there. The company has no website, and it has allegedly changed names several times. Candiru offers “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets," according to a document seen by Haaretz. The Israeli newspaper was the first one to report Candiru’s existence in 2019. Since then, several cybersecurity companies and groups such as Kaspersky Lab, Microsoft, Google, and Citizen Lab, have tracked its malware.  

Faou is scheduled to present his findings at the CYBERWARCON conference in Washington D.C. on Tuesday.

Faou said that he contacted some of the websites affected, but did not receive an answer from any of them. None of them are currently compromised, he said, and it’s unclear if that’s because the site owners caught the hackers and removed the malicious code, or the hackers cleaned up after themselves to hide their tracks. 

When Motherboard reached out to Middle East Eye, Mahmoud Bondok, the site’s head of digital development, said: “We were actually just made aware of it all and trying to ensure that the compromise itself is no longer active as a priority.”

On Tuesday, Middle East Eye issued a press release condemning the watering hole attack against its site.

“Middle East Eye is no stranger to such attempts to take our website down by state and non state actors. Substantial sums of money have been spent trying to take us out,” Middle East Eye editor in chief David Hearst said in the release. “This has not stopped us reporting what is going on in all corners of the region and I am confident that they will not stop us in future. Despite these efforts, our journalism has reached a global audience.”

Middle East Eye also said that the site is now secure.

“Middle East Eye is constantly reviewing its security arrangements with leading IT software security companies. As with any attempt to disrupt our service, we are building cyber defences to meet this threat,” the press release read. “At present we are confident that this attack has not compromised our ability to bring investigative and original reporting from the region.”

During their investigation, Faou and his colleagues found that the hackers were using multiple domains for the command and control servers that connected to the malware. Two of those domains (webfx[.]cc and engagebay[.]cc) connected to a server previously identified as belonging to Candiru by Citizen Lab, a cybersecurity research organization housed at the University of Toronto's Munk School, according to ESET. 

Bill Marczak, a senior researcher at Citizen Lab, confirmed to Motherboard that those domains did connect to the Candiru server. 

That’s why ESET concludes with “medium confidence” that the hackers in this campaign are customers of Candiru.  

Candiru did not respond to a request for comment sent to a series of email addresses that belong to the company.

This is not the first time Middle East Eye is caught in the crosshairs of hackers using Israeli spyware tools. In 2016, Citizen Lab reported that government hackers using NSO Group’s spyware had attempted to hack Rori Donaghy, at the time a reporter for Middle East Eye.   

The hack of a UK news website could spark more debate in the country about government hacking and spyware. Last week, ten parliament members in the UK wrote a letter addressed to Prime Minister Boris Johnson urging him and his government to suspend “spyware licenses and cybersecurity contracts to Gulf nations implicated in cyberattacks in the UK, namely the UAE, Saudi Arabia and Bahrain.”

The parliament members argued that this is a necessary step in light of the US Government putting NSO Group and Candiru on a denylist that bars any US company from selling services or software to those companies. 

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.