This attack was highly targeted, using spyware from an Israeli cyber weapons company Candiru. To get the spyware onto the target machines the threat actors exploited, what was then, a zero-day vulnerability in Google Chrome.
Zero-day used to infect Chrome users could pose threat to Edge and Safari users, too | Ars Technica
The exploited vulnerability in Chrome was in the WebRTC components, related to how browsers deal with real-time video, audio and text communications – it was patched by Google in early July 2022 – Microsoft and Apple have both patched the same systems in Edge and Safari.
It was a watering hole attack – an attack where malware is embedded into websites where your intended victims are likely to visit. The web sites chosen, in this attack, were related to journalism and spread across Lebanon, Turkey, Yemen, and Palestine. Once the target’s machine was infected, it then downloaded Candiru’s DevilsTongue spyware and the spying could begin. DevilsTongue software is in the same class of malware/spyware as NSO’s Pegasus and RCS Lab’s Hermit. Candiru states it only sells it spyware to approved governments.
If you infect websites that are of interest to and regularly visited by journalists and people in the media, they are likely to be the target of choice of the threat actor.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
Here’s what Citizen Lab has to say about Candiru:
Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus – The Citizen Lab
