Connect with us

Hi, what are you looking for?


Malware & Threats

Israeli Counter-Terrorism Websites Used in Watering Hole Attacks

Israeli Website for International Institute for Counter-Terrorism Used in Watering Hole Attacks

Researchers have detected a pair of websites related to the Israeli government which appear to have been compromised as part of a “watering hole” attack, Websense said today.

Israeli Website for International Institute for Counter-Terrorism Used in Watering Hole Attacks

Researchers have detected a pair of websites related to the Israeli government which appear to have been compromised as part of a “watering hole” attack, Websense said today.

The websites were compromised and injected with malicious code which serves up an Internet Explorer exploit to unsuspecting site visitors running out-of-date versions of the Internet Explorer browser, Gianluca Giuliani of Websense Security Labs wrote in a blog post. Websense believes the sites may have been compromised and delivering malware from as early as Jan. 23, and as of this week, one site was still infecting users while the other appears to have ceased its activities.

The two sites, and, appear to be connected and governed by a leading Israeli academic institution called IDC, Websense said. ICT bills itself as the International Institute for Counter-Terrorism. As of today, the malware code appears to have been removed from the main page for, according to Websense.

“As described, the attacks on both websites are identical,” Giuliani said said.

The attack was “very similar” to a recent spate of spear-phishing attacks, Giuliani wrote. Researchers had previously linked the spear phishing attack to the watering hole attack on the Council on Foreign Relations website back in December because the same zero-day was targeted. The malicious Flash file could be either linked to the “Elderwood” gang, a highly organized cyber-crime group who may have instigated the attack on the CFR site, or different groups may be using the same toolkit, Websense said.

“It looks as if targeted attacks have now been surfacing regularly and more frequently, with more attacks that are now exposed almost on a weekly basis,” Giuliani wrote.

Advertisement. Scroll to continue reading.

Facebook, Twitter, Apple and Microsoft were all hit by watering hole attacks in February when the attackers compromised an iPhone development website.

The sophistication of attacks directly depends on the protection level employed by the target, Giuliani said. If the defense level is not strong enough, attackers are likely to try to break through. If it is hard to break, they may not put in the effort.

The tough questions one should ask one’s self in today’s threat landscape is “what am I doing to not be the next victim?” and, even more importantly, “what am I going to do when I do become one?” said Giuliani.

In this case, the malware loads a malicious page with Flash content embedded. The malware also downloads a connector to the command-and-control server and opens a backdoor on the infected machine. The malware speaks with a single host which appears to be based in China, as well as a second one that appears to belong to Hurricane Electric, an Internet Service Provider in Fremont, Calif.

“Looking closer at this IP address, we could see that it hosts a lot of mayhem, as well as many other hosts that are associated that use host names on *,” Websense said.

Post-infection mitigation plans should be given the same emphasis as prevention and deploying adequate protection in place, Websense said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...