Yemen, the war between Hadi and Houthi forces passes from internet

Yemen Recordedfuture Cybersecurity Cyberreflection Cybercrime Netscoutarbor Ddos Cyberattacchi Infosec Geopolitica Aziende Hacker Malware Ransomware Cyberattacks Cryptominer Cyberwarfare

Recorded Future: Local and international players are waging a secondary war through internet control and other cyber means in Yemen. The key elements are censorship controls, traffic attempting to subvert those controls, and spyware activity

In Yemen there is an underground war to control internet, in addition to the visible one between the Arab Coalition and the Houthis. According to a recent study by the Recorded Future cyber security experts, “local and international players are waging a secondary war through internet control and other cyber means.” The key elements are three: censorship controls, traffic attempting to subvert those controls, and spyware activity. To them is added the cybercrime, which seeks to make profits with malware and cryptojacking campaigns.

The Houthis gained control over YemenNet,TeleYemen, MTN Yemen, and on a landing point for the submarine cables

Rapid7’s National Exposure Index found that although Yemeni ASNs have allocated 135,168 IP addresses, only 17,934 addresses were assigned, indicating low usage. As territory has changed hands in Yemen for the last four years, so too has control over internet resources. As the Houthi forces seized the capital city of Sana’a, they also gained control over YemenNet — the major internet provider -, TeleYemen, and all other providers based within the city. They also seized control of the dominant mobile provider, MTN Yemen. Furthermore, there are four submarine cables servicing Yemen at three landing points. Two of them are currently under the control of the Hadi government. The third, in Al-Hudaydah, is managed by the Houthi rebels, but is an area that the Hadi government forces has been aggressively targeting. If them will take control of the port, they could cut off internet access between the outside world and YemenNet subscribers.

The sciite rebels also blocked access to WhatsApp, Facebook, Twitter, and Telegram. They also severed over of fiber optics lines from YemenNet. Hadi government created AdenNet, funded by UAE and with Huawei routers

The Houthis have blocked access to WhatsApp, Facebook, Twitter, and Telegram, according to reports from Al Arabiya. Along with domains that reported on Houthi troop movements. They have also taken steps to shut off internet access entirely across their ISP control. Furthermore, it seems that they severed over 80% of fiber optics lines from YemenNet, taking a more brutish approach to control information across the country. The Hadi government response was the creation of AdenNet, a new backbone provider, in June 2018. The new ISP was funded by the United Arab Emirates (UAE), uses a single flow from Saudi Telecom (AS39386), and was built using routers from Chinese technology firm Huawei. Much of AdenNet’s infrastructure is located outside of Yemen.

There a significant increase in the number of malware submitted to VirusTotal from the Yemen. The overwhelming majority of those were Android applications

This underground war in Yemen is confirmed also by a significant increase in the number of software submitted to VirusTotal from the Arab Country. From 13 samples from between 2015 and 2017 to a total of 164 in 2018. Of these, approximately half were malware, and the overwhelming majority of those were Android applications. From the 84 Android samples uploaded to VirusTotal since 2015, Recorded Future was able to identify variants of widely disseminated malware families, including AhMyth, DroidJack, Hiddad, and Dianjin, as well as multiple fake Altcoin wallets, fake Whatsapp applications, and spyware posing as antivirus, video playing, and VPN applications. In addition, the company determined that 50% of the adware obtained from the Android samples reached out to both Chinese and Western advertisement sites. Two-thirds of the fake antivirus spyware apps, as well as some AhMyth samples found, connected to Chinese IPs.

Also cybercrime is exploiting Yemen to earn money with cryptojacking

Also cybercrime is exploiting Yemen to earn money. Recorded Future found 973 hosts within the Arab country running cryptocurrency mining service Coinhive. Coinhive, a JavaScript-based Monero miner, was released in early 2017, two years after the Houthi rebels took control of YemenNet. All 973 hosts are MikroTik routers belonging to the YemenNet ASN AS30873, and 213 of the hosts share the same domain, dynamic.yemennet[.]ye. Moreover, approximately 427 out of the 973 routers were involved with previous, more widely targeted, cryptojacking campaigns discovered by Avast. A third of the unaccounted hosts (189) are located in Sana’a, the Houthi-held capital. Additionally, all of the infected routers are part of the YemenNet network.