Houthi rebels, cyber espionage campaigns and the United Nations food agency
A report on likely pro-Houthi group OilAlpha campaign targeting humanitarian and human rights groups
In May 2023, Recorded Future’s Insikt Group published its first report on likely pro-Houthi group OilAlpha depicting a campaign targeting humanitarian and human rights groups focused on development issues.
Who is OilAlpha?
OilAlpha, is a hacking group with suspected ties to Yemen's Houthi movement. They have been conducting cyber espionage campaigns targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula.
The group primarily focuses on Android devices and uses malicious mobile applications, such as SpyNote and SpyMax, to infect victims with malware.
They employ social engineering tactics through encrypted chat messengers like WhatsApp to trick targets into downloading the malicious apps.
OilAlpha's operations include credential harvesting and the use of spoofed login pages to steal user information. The group's infrastructure is often traced back to Yemen-based entities, including government-owned businesses controlled by Houthi-aligned officials
Cyber Espionage Campaigns
A year after the initial report, additional information, indicates that OilAlpha is still focusing humanitarian orgs in Yemen.
The initial attack vector seems to be malicious android (Cash Incentives.apk, NRC Business .apk) applications and spoofed web portals.
Analysis of the malicious applications suggested that the application makes excessive requests that are invasive of a user’s privacy. This includes requesting access to a phone’s camera, audio, SMS, contacts, internet, WiFi, external storage read and write permissions, and many other access permissions.
Further analysis of the sample revealed that throughout early 2024 the (C2) server resolved to 141.255.145[.]221 and that the application was also configured to contact a second domain — ho2hm1.ddns[.]net. At the time, both domains were configured to communicate over port 44449
Specifically, three organizations (Care International, KSP, Norwegian Refugee Council) have been targeted and had their respective portals spoofed as seen in the image above.
United Nations & The World Food Program
The interconnected dynamics of Houthi control, cyber targeting, and the halt of UN food distribution in Yemen paint a bleak picture of the humanitarian crisis in the region.
The Houthi militants efforts to control aid through cyber intelligence gathering outlines their strategy to leverage humanitarian resources for financial and political gain.
Meanwhile, threat groups like OilAlpha worsen the situation by targeting organizations trying to deliver aid and uphold human rights.
The recent decision by the UN World Food Programme to stop food distribution due to funding and operational disagreements will likely increase pressure on the group to control aid from other sources.