Watering Hole Attacks Explained: What They Are and How to Prevent Them

Cyberattacks have exponentially increased in sophistication over the past decade, leaving many organizations struggling to maintain network and data security as new, previously unknown threats arise. Terms such as malware, phishing, and even denial-of-service attacks are familiar to most people. However, other terms such as watering hole attacks may be entirely new.

Here, we investigate what watering hole attacks are, how they work, and how you and your organization can raise awareness of the threats posed and protect against them.

What Are Watering Hole Attacks, and How Do They Work?

Watering hole attacks, sometimes known as watering hole phishing, take their namesake inspiration from the wild, such as when a predator strikes its prey as it stops by a watering hole to drink. Think about a lion hiding at a popular watering hole on the savanna, pouncing as an unsuspecting antelope stoops to drink. The antelope is an easy target but the watering hole is also a place where all kinds of animals regularly congregate. 

The reason for this analogy becomes clear when we define a watering hole attack in the context of cybersecurity. Threat actors aim to strike their targets where they congregate, commonly on websites frequently used by the target. Having used that website often, the target rarely thinks twice about its security, leaving them vulnerable to surprise attacks from a variety of sources.

The concept behind watering hole attacks is clear, but the methods used by cyberattackers to implement and profit from them are also essential to understand. Usually, watering hole attacks are staged across four steps that aim to monitor, analyze, and execute one of many types of web-borne exploits. Commonly, these steps include:

Gather Intelligence Through Tracking 

Watering hole attackers begin by identifying a target and gathering intelligence on their web browsing habits. This might be frequently visited public sites, websites specific to the company or industry, or even tools such as webmail and cloud storage. Threat actors use a range of tools to gather this intelligence, including search engines, social media pages, website demographic data, social engineering, spyware, and keyloggers.

Analyze Websites for Vulnerabilities 

Once viable targets have been identified, cyberattackers then begin to analyze the list of websites for weaknesses and vulnerabilities at the domain and subdomain levels. Additionally, website clones may be created to fool the target into believing they are using the official site. Sometimes, both are used in tandem, compromising a legitimate site to lead targets to a malicious page.

Prepare Exploits and Infect Target Websites 

Web-borne exploits are used to infect the websites commonly used by the target. Focusing on technologies such as ActiveX, HTML, JavaScript, images, and other vectors, cyberattackers aim to compromise browsers used by the target. Sophisticated attacks may even allow actors to infect visitors with specific IP addresses.

Wait for the Target to Unsuspectingly Download Malware

The watering hole phishing infrastructure is now in place, and malicious actors only need to wait for the malware to activate. This happens when the target's browser unsuspectingly downloads and automatically runs the pre-placed software from the compromised sites. This works since web browsers often indiscriminately download code to computers and devices. 

How Individuals Can Protect Themselves Against Watering Hole Attacks

Watering hole attack prevention for individuals consists of maintaining good cybersecurity practices every time you are online. This means being careful where and what you click while browsing the web and ensuring high-quality antivirus software is installed and regularly updated. Browser protection apps and VPNs can also be helpful, alerting users to potentially malicious sites or downloads and blocking them entirely where necessary. 

How Businesses Can Protect Themselves Against Watering Hole Attacks

Businesses can take a more robust approach to watering hole attack prevention through various advanced cybersecurity tools and protocols. These include:

• Raising awareness of watering hole attacks and educating staff through security awareness programs to enable them to detect suspicious activity more quickly.
• Ensuring all software, including non-security software, is kept up to date. Watering hole attacks actively search out vulnerabilities, so regular vulnerability scans and security patches are a critical line of defense.
• Using secure web gateways (SWG) to filter out web-based threats and enforce acceptable use policies. An SWG acts as a middleman between the user and the external website, blocking malicious network traffic and allowing staff to browse securely.
• Ensuring all traffic that passes through the organization's network is treated as untrustworthy until it has been validated.
• Using endpoint detection and response tools to protect your organization from emerging malware threats. 

Examples of Watering Hole Attacks in Current Events

Over the past decade, there has been a raft of watering hole attacks, with many targeting high-profile organizations that have supposedly implemented top-of-the-line cybersecurity protection. This means that any type of organization can be vulnerable to these attacks, which are called Advanced Persistent Threats (APTs). Here are some concrete examples of high-profile watering hole attacks:

2012 – American Council on Foreign Relations

Through an Internet Explorer exploit, cyberattackers infected the CFR. Watering hole phishing targeted those browsers only using certain languages that could be exploited. 

2016 – Polish Financial Authority

Targeting over 31 countries, including Poland, the United States, and Mexico, researchers discovered an exploit kit that had been embedded in the Polish Financial Authority's web server. 

2019 – Holy Water

By embedding a malicious Adobe Flash pop-up that triggered a download attack, dozens of religious, charity, and volunteer websites were infected. 

2020 – SolarWinds

IT company SolarWinds was the target of a far-reaching watering hole attack that ran for a long time. After months of cyber intelligence work, it was uncovered that state-sponsored agents were using watering hole phishing to spy on cybersecurity companies, the Treasury Department, Homeland Security, and more.

2021 – Hong Kong

Google's Threat Analysis Group identified numerous watering hole attacks focusing on users who visited media and pro-democracy websites in Hong Kong. Once successful, the malware would go on to install a backdoor on individuals using Apple devices.

How to Tell If You've Been the Victim of a Watering Hole Attack

Since watering hole attacks are, by design, supposed to trick us into believing we are visiting a trusted website or legitimate source, they can be difficult to identify immediately. If you haven't realized the attack has happened at its source in real time, then the next likely indicator will be that your networks begin to act differently, and data goes missing or is no longer accessible. For these reasons, ensuring extra vigilance with zero-day exploits is critical, as these are the most common vectors for watering hole phishing.

The Bottom Line: Watering Hole Attacks 

Perhaps the most concerning thing about watering hole attacks is that they persistently target places individuals and organizations people have grown to trust. However, identifying this specific cyberattack can be straightforward with the proper education, intelligence, and tools. Remember, cybersecurity best practices are there for a reason and should be used without fail.