Hacker Lexicon: What Is a Watering Hole Attack?

It's a technique that can hit thousands of victims—through no fault of their own.
Graphic illustration of viruses and abstract shapes.
The name comes from the idea of poisoning a central water source that then infects anyone who drinks from it.Illustration: Elena Lacey

Most hacks start with a victim making some sort of mistake, whether that's entering a password on a convincing-looking phishing page or accidentally downloading a malicious attachment on a work computer. But one particularly sinister technique starts with simply visiting a real website. They're called watering hole attacks, and in addition to being a longstanding threat they've been behind several high-profile incidents lately.

The most infamous watering hole attack in recent memory came to light in 2019, after targeting iPhone users within China's Uyghur Muslim community for two years. But threat intelligence researchers emphasize that the technique is fairly common, likely because it's so powerful and productive. The internet security firm ESET says it detects multiple watering hole attacks per year, and Google's Threat Analysis Group (TAG) similarly sees as many as one per month. 

The name comes from the idea of poisoning a central water source that then infects anyone who drinks from it. Relatedly, it also evokes a predator that lurks near a watering hole waiting for prey to stop by. Watering hole attacks can be difficult to detect because they often operate quietly on legitimate websites whose owners may not notice anything amiss. And even once discovered, it's often unclear exactly how long an attack has been going on and how many victims there are.

“Let’s say attackers are going after democracy activists. They might hack a democracy activist website knowing that all these potential targets are going to visit," says Google TAG director Shane Huntley. “The key thing about why these attacks are so dangerous and can lead to such high success rates is that they take out that important step of the target having to do something or be tricked. Instead of targeting activists with something they actually have to click, which might be hard because they’re very canny, you can go to somewhere they’re already going and skip immediately to the part where you’re actually exploiting people’s devices.”

Earlier this month, for example, TAG published findings about a watering hole attack that compromised a number of media and pro-democracy political group websites to target visitors using Macs and iPhones in Hong Kong. Based on the evidence it was able to collect, TAG couldn't firmly establish how long the attacks had gone on or how many devices were affected.

Watering hole attacks always have two types of victims: the legitimate website or service that attackers compromise to embed their malicious infrastructure, and the users who are then compromised when they visit. Attackers have gotten increasingly skilled at minimizing their footprint, using the compromised website or service as merely a conduit between victims and external malicious infrastructure, with no visible sign to users that anything's amiss. That way attackers don't have to build everything within the compromised site itself. Conveniently for hackers, this makes the attacks easier to set up and harder to trace.

To turn visiting a website into an actual hack, attackers need to be able to exploit software flaws on victims' devices, often a chain of vulnerabilities that begins with a browser bug. This gives attackers the access they need to install spyware or other malicious software. If hackers really want to cast a wide net, they'll set up their infrastructure to exploit as many types of devices and software versions as possible. Researchers point out, though, that while watering hole attacks may seem indiscriminate, hackers have the ability to target victims more precisely by device type or by using other information browsers collect, like what country their IP address comes from.

Earlier this month, findings from ESET relating to watering hole attacks and focused on Yemen showed how that works in practice. The compromised websites in the campaign included media outlets in Yemen, Saudi Arabia, and the United Kingdom, internet service provider sites in Yemen and Syria, government sites in Yemen, Iran, and Syria, and even aerospace and military technology companies in Italy and South Africa.

“In this case attackers compromised more than 20 different websites, but the very low number of people compromised was noteworthy,” says Matthieu Faou, an ESET malware researcher who presented the findings at the Cyberwarcon security conference in Washington, DC, last week. “Only a handful of the compromised websites’ visitors were themselves compromised. It is hard to tell an exact number, but probably not more than a few dozen people. And in general most watering hole attacks are conducted by cyber-espionage groups in order to compromise very specific targets." 

Faou and his colleagues at ESET have worked to develop a system that makes it easier to detect and expose watering hole attacks by scanning the open internet for specific signs of compromise. A tool like that would be invaluable precisely because of how stealthy and untraceable the attacks can be. By getting there early, researchers can not only protect more would-be victims but have a better chance of being able to assess attackers' infrastructure and the malware they are distributing.

“We are still adapting it to discover as many attacks as possible while reducing the number of false alerts,” Faou says of the tool. “But it's important to detect these attacks early, because otherwise we might miss them. Attackers will quickly clean compromised websites and if it’s not there anymore, it becomes very hard to investigate.”

Though you can't completely eliminate the risk of your devices being infected by a watering hole attack, you can protect yourself by keeping up with software updates on your computer and phone and restarting your devices regularly, which can flush out certain types of malware.


More Great WIRED Stories