Insikt Group's research reveals that OilAlpha, a suspected pro-Houthi entity, continues to target humanitarian and human rights organisations in Yemen. They deploy malicious Android applications to steal credentials and gather intelligence, with the ability to control aid distribution.
Notable organisations affected include CARE International and the Norwegian Refugee Council. This report focuses on the continuous threat and recommends mitigating techniques such as social engineering skills, safe passwords, and multi-factor authentication.
In May 2023, Insikt outfit published its first report on OilAlpha, a pro-Houthi outfit that targets humanitarian organisations in Yemen with malicious Android applications. A year later, new discoveries show that OilAlpha is still active and poses a serious threat to humanitarian activities in the region.
A recently published report identified a new group of malicious mobile apps and infrastructure associated with OilAlpha. Employees of internationally renowned humanitarian organisations, such as Saudi Arabia's King Salman Humanitarian Aid and Relief Centre, the Norwegian Refugee Council, and CARE International, are the target audience for these applications.
Last month researchers discovered a malicious Android file named “Cash Incentives.apk,” linked to OilAlpha's infrastructure. The app requests invasive permissions, including access to the camera, audio, SMS, contacts, and more, classifying it as a remote access trojan (RAT). Subsequent investigation identified two more malicious applications targeting the Norwegian Refugee Council and CARE International, all attempting to steal credentials and gather sensitive information.
OilAlpha's operations include a credential theft portal under the domain kssnew[.]online. This webpage impersonates the login pages of humanitarian organisations, prompting users to enter their credentials, which are then captured by the perpetrators.
To address this issue, organisations should create information security policies and perform social engineering and anti-phishing awareness training. Strong passwords and multi-factor authentication (MFA) can dramatically reduce the likelihood of credential theft. Furthermore, users should exercise caution when using direct messaging on social media and encrypted messages, and check the legitimacy of messages whenever possible.
OilAlpha's operations point to a persistent effort to influence humanitarian relief distribution in Yemen. The group's focus on humanitarian organisations is expected to continue, possibly spreading outside Yemen.