Recorded Future: Local and international players are waging a secondary war through internet control and other cyber means in Yemen. The key elements are censorship controls, traffic attempting to subvert those controls, and spyware activity
In Yemen there is an underground war to control internet, in addition to the visible one between the Arab Coalition and the Houthis. According to a recent study by the Recorded Future cyber security experts, “local and international players are waging a secondary war through internet control and other cyber means.” The key elements are three: censorship controls, traffic attempting to subvert those controls, and spyware activity. To them is added the cybercrime, which seeks to make profits with malware and cryptojacking campaigns.
The Houthis gained control over YemenNet,TeleYemen, MTN Yemen, and on a landing point for the submarine cables
Rapid7’s National Exposure Index found that although Yemeni ASNs have allocated 135,168 IP addresses, only 17,934 addresses were assigned, indicating low usage. As territory has changed hands in Yemen for the last four years, so too has control over internet resources. As the Houthi forces seized the capital city of Sana’a, they also gained control over YemenNet — the major internet provider -, TeleYemen, and all other providers based within the city. They also seized control of the dominant mobile provider, MTN Yemen. Furthermore, there are four submarine cables servicing Yemen at three landing points. Two of them are currently under the control of the Hadi government. The third, in Al-Hudaydah, is managed by the Houthi rebels, but is an area that the Hadi government forces has been aggressively targeting. If them will take control of the port, they could cut off internet access between the outside world and YemenNet subscribers.
The sciite rebels also blocked access to WhatsApp, Facebook, Twitter, and Telegram. They also severed over of fiber optics lines from YemenNet. Hadi government created AdenNet, funded by UAE and with Huawei routers
The Houthis have blocked access to WhatsApp, Facebook, Twitter, and Telegram, according to reports from Al Arabiya. Along with domains that reported on Houthi troop movements. They have also taken steps to shut off internet access entirely across their ISP control. Furthermore, it seems that they severed over 80% of fiber optics lines from YemenNet, taking a more brutish approach to control information across the country. The Hadi government response was the creation of AdenNet, a new backbone provider, in June 2018. The new ISP was funded by the United Arab Emirates (UAE), uses a single flow from Saudi Telecom (AS39386), and was built using routers from Chinese technology firm Huawei. Much of AdenNet’s infrastructure is located outside of Yemen.
There a significant increase in the number of malware submitted to VirusTotal from the Yemen. The overwhelming majority of those were Android applications
This underground war in Yemen is confirmed also by a significant increase in the number of software submitted to VirusTotal from the Arab Country. From 13 samples from between 2015 and 2017 to a total of 164 in 2018. Of these, approximately half were malware, and the overwhelming majority of those were Android applications. From the 84 Android samples uploaded to VirusTotal since 2015, Recorded Future was able to identify variants of widely disseminated malware families, including AhMyth, DroidJack, Hiddad, and Dianjin, as well as multiple fake Altcoin wallets, fake Whatsapp applications, and spyware posing as antivirus, video playing, and VPN applications. In addition, the company determined that 50% of the adware obtained from the Android samples reached out to both Chinese and Western advertisement sites. Two-thirds of the fake antivirus spyware apps, as well as some AhMyth samples found, connected to Chinese IPs.
Also cybercrime is exploiting Yemen to earn money with cryptojacking