Digital Weapon in Desert: Oilalpha Hunts Humanitarian Aid

In a new report by the Insikt Group, the actions of the OILALPHA group targeting Husites, who are actively attacking humanitarian and human rights organizations in Yemen, have been revealed. Utilizing malicious mobile applications for Android, the group is stealing accounting data and gathering intelligence, possibly in an effort to manipulate the distribution of humanitarian aid.

The victims of these attacks include employees of humanitarian organizations such as Care International, Norwegian Refugees Council, and King Salman’s Center for Humanitarian Poles and Assistance in Saudi Arabia.

The discovery of infected applications was made in May 2023, and a year later, a new set of mobile applications and infrastructure owned by Oilalpha were uncovered by experts. One suspicious Android file named “Cash Incentives.apk” was identified, which asks for extensive access permissions, including access to the camera, microphone, SMS, contacts, and other features, categorizing the application as a rat-three. Two additional malicious applications were later detected.

Among these is a fake cash incentive application that prompts the user to enable Google services during its operation.

OILALPHA’s operations also involve a portal for stealing accounts hosted on the KssNew [.] Online domain. This portal mimics the login pages of humanitarian organizations, redirecting users to enter their information, which is then intercepted by the attackers.

Given the ongoing threat, the Insikt Group provides several strategies for reducing risks, including employee training on recognizing social engineering tactics, implementing strong passwords, and using multifactor authentication.

In 2014, the Husites seized control of Yemen’s capital, sparking a civil war. Human rights organizations have reported that since June 2019, Saudi Arabia’s controversial intervention has led to widespread arbitrary arrests, torture, and forced disappearances.

The actions of OILALPHA indicate persistent efforts to influence the distribution of humanitarian aid in Yemen, raising concerns that this activity may extend beyond Yemen’s borders.

It’s worth noting that in addition to targeting humanitarian organizations, the Middle Eastern military has also been affected by hacker attacks. The Trojan Guardzoo, recently discovered, has been in use since at least October 2019. This Trojan is designed to steal photos, documents, and files from victims, suggesting an interest in gathering tactical and strategic military information.

/Reports, release notes, official announcements.