Five High-Profile Watering Hole Attacks Highlight Importance of Network Security

Five High-Profile Watering Hole Attacks Highlight Importance of Network Security

Watering Hole Attacks FIDigital criminals use various techniques to breach organizations’ computer systems. One method that continues to be popular among cybercriminals is watering hole attacks. The name is derived from how predatory animals tend to lurk around watering holes waiting for their prey to come for a drink. We understand how this makes them difficult for those of you who are responsible for protecting your employees and data to detect because there’s no direct assault; no frontal attack. They just lay in wait for an unsuspecting employee to wander by and get infected.

Watering Hole Attacks

As noted by Trend Micro, a watering hole attack occurs across several carefully designed and executed phases.

  1. It begins when the attacker profiles a target organization to determine the types of websites that its users most frequently visit.
  2. The bad actor then probes those websites for exploitable weaknesses and vulnerabilities.
  3. Using these flaws, the malefactor compromises a website and waits for a user at the target organization to visit the website.
  4. They then use malicious code injected into the compromised website to infect the user’s machine, gain access to the network, and then move laterally to other systems as needed to achieve their objective.

Though they have been around for years and years, watering hole attacks continue to pose a serious threat to organizations today. One of the reasons why this is the case is because they are so difficult to detect. Watering hole attacks generally rely on infecting legitimate websites, so individuals and organizations are less likely to fully scrutinize them.

That’s not the only challenge that makes watering hole attacks a serious threat for organizations. As one of our earlier blog posts notes:

Another problem with watering hole attacks is the difficulty in training employees to avoid infected sites. Organizations can train employees how to recognize and avoid most phishing emails, but there is no way for a user to identify a compromised website without the assistance of a tool specifically designed to do just that.

These difficulties explain why organizations, including high-profile organizations and government entities, continue to suffer watering hole attacks. Below are just a few of these events that have made news in recent years.

The U.S. Department of Labor

Back in 2013, digital attackers injected malicious code into the U.S. Department of Labor’s (DoL) Site Exposure Matrices (SEM), a tool that workers and contractors who are covered under the Energy Employees Occupational Illness Compensation Program Act (EEOICPA) Part E and the Radiation Exposure Compensation Act (RECA) can use to adjudicate claims. This code redirected DoL website visitors to another page hosting an exploit code for a vulnerability, as reported by Threatpost. Upon exploitation of that flaw, bad actors were able to execute code on a victim’s compromised machine in order to run the Poison Ivy RAT.

A Havex RAT Campaign

One year later, researchers at F-Secure detected a malware attack campaign targeting ICS/SCADA systems at organizations based in Germany, Switzerland, Belgium, and California. This operation in part leveraged trojanized installers planted on compromised websites (most often ICS vendor sites) to gain access to their targets. Whenever a user at a targeted organization visited one of these websites and downloaded one of those malicious installers, they subsequently downloaded a variant of Havex RAT. F-Secure’s researchers believe the campaign claimed as many as 1,500 victims.


A year after that, Invincea and iSight observed an instance where a Chinese attack group used a watering hole attack to compromise According to SecurityWeek, this campaign leveraged two zero-day vulnerabilities, one in Microsoft’s Internet Explorer and another in Adobe’s Flash Player, to display malicious versions of Forbes’ “Thought of the Day,” a Flash widget which at the time loaded whenever someone attempted to access a page on This behavior enabled the campaign to infect anyone using a vulnerable machine who simply visited while the campaign was active.

Though receives millions of users a day, Invincea and iSight noticed the campaign targeting a small handful of sectors including some of their customers in the defense and financial services industries.


In March 2019, researchers at ESET disclosed a watering hole attack involving the International Civil Aviation Organization (ICAO), a specialized agency of the United Nations that promotes the development and planning of air navigation and transport around the world. An advanced persistent threat known as the LuckyMouse group was ultimately found responsible for the attack, which actually took place back in 2016. Through these efforts, bad actors compromised two servers at the ICAO as well as accounts of the mail servers, domain admin, and sysadmin.

According to CBC, bad actors used ICAO as part of a watering hole attack chain. This sequence enabled these malefactors to compromise at least one of the United Nations’ 192 member states within 30 minutes of the ICAO hack.

The SLUB Backdoor

Most recently, researchers at Trend Micro observed malefactors using watering hole attacks exploiting a VBScript engine vulnerability to spread a unique form of malware in 2019. This novel threat, which the security firm has nicknamed “SLUB,” is interesting for two reasons. First, it downloads a “gist” snippet from GitHub and scans it for commands. Second, it then takes the scan and posts the result of any commands it found in a private Slack channel in a particular workplace using embedded tokens.

Trend Micro’s analysis of the campaign reveals that the digital attackers created the Github account and the Slack workspace on February 19 & 20 before compiling the malware on February 22. The bad actors tested the malware in the days that followed before the first victims began to appear on February 27.

Defending Against Watering Hole Attacks

The attacks I’ve discussed above illustrate how organizations continue to suffer watering hole attacks. Others have arrived at the same conclusion.

Take Carbon Black, for instance. In a report entitled “Modern Bank Heists: The Bank Robbery Shifts to Cyberspace,” the security firm found that more than a fifth (21 percent) of surveyed financial institutions suffered a watering hole attack during the study’s reporting period. These and other attack campaigns didn’t target U.S. organizations directly; they went after entities based in Russia, Central Asia, and Southeast Asia. Even so, such attacks can still affect global firms based in the United States and elsewhere. In support of this point, an intelligence analyst at Lockheed Martin said that the recent attack against ICAO represents a “significant threat to the aviation industry.”

In response, organizations need to make sure they’re taking the appropriate steps to defend against watering hole attacks. Some best practices include:

  • Inspect popular websites that employees visit for malware
  • Block traffic to all websites that they discover have been compromised
  • Configure browsers and other tools that use website reputation services to notify users of “bad” websites

At Lastline, we also recommend treating traffic from third parties and websites visited by employees as untrusted until otherwise verified. It doesn’t matter if the content comes from an obscure partner site or a popular and well-known website, it all needs to be checked. Verification is best accomplished by a multi-faceted defense strategy, including advanced threat detection that is able to detect both malicious code on compromised websites and insider threats moving laterally on your network.