Controlling Online Access in Yemen’s War Zone

December 3, 2018 • Amanda McKeon

Recorded Future’s Insikt Group recently published research titled “Underlying Dimensions of Yemen’s Civil War: Control of the Internet.” It’s a detailed analysis of the role the internet has played in Yemen’s ongoing bloody conflict, as rival factions fight to gain control of information, access, and infrastructure. Local and international interests all come into play.

Here to guide us through the research are Recorded Future’s Winnona DeSombre, threat intelligence researcher, and Greg Lesnewich, threat intelligence analyst.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 85 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Recorded Future’s Insikt Group recently published research titled “Underlying Dimensions of Yemen’s Civil War: Control of the Internet.” It’s a detailed analysis of the role the internet has played in this ongoing bloody conflict, as rival factions fight to gain control of information, access, and infrastructure. Local and international interests all come into play.

Here to guide us through the research are Recorded Future’s Winnona DeSombre, threat intelligence researcher, and Greg Lesnewich, threat intelligence analyst. Stay with us.

Greg Lesnewich:

This report actually largely came out of the idea of CyberwarCon and seeing what John Hultquist and the team over there had prompted, and talks they were looking to have. People come in and have different conversations than most other cybersecurity conferences I’ve hit on, and looking at real-world implications of cyber activity in … Whether it was disinformation or, in our case, actual physical war in a country, and taking the temperature of the cyber aspects in those regards. Yemen, I think, naturally came to our attention.

I think that part of our collective interest in it was the fact that we see and hear a lot about what I would describe as advanced forms of cyber war, or what people would describe as advanced forms of cyber war — a malware sent in that can black out a city to then get in front of a kinetic attack and help troops there, and that isn’t necessarily taking place in a real war zone all the time. We wanted to take the pulse of a country that doesn’t get a lot of attention from the cyber realm, and dig in and figure out what the cyber aspects of the war going on in Yemen were.

Winnona DeSombre:

One of the more interesting parts about choosing Yemen is, you get to actually look at cyber activity during an active civil war and what some would even suggest to be a proxy war. With the active war zone, how the physical and cyber components interact with each other, we thought would be incredibly interesting.

Dave Bittner:

Give me a rundown. Who is our cast of characters here? Who’s involved internally and helping from the outside?

Greg Lesnewich:

Sure, yeah. I think to get a good understanding, I’ll give the internal major players first, and then broaden our scope and look at who backs them to see where things get interesting. There are two primary belligerents in the country right now. The Hadi regime is the internationally recognized government right now, and they have a large swath of territory on the south and west coasts of the country. They fight the Houthi rebels, who are largely considered to be the rebellious faction, who are largely based in the northwest corner of the country. The Houthis are primarily Shia, and the Hadi regime is primarily Sunni. There are a couple of secondary groups in the country that I’ll also make note of. The Southern Movement, which is a group based in, obviously, southern Yemen that would like to see the old borders from prior to the year 1990 restored when Yemen was actually two countries, North Yemen and South Yemen.

Additionally, in the country, there’s a presence of Al-Qaeda and the Islamic State in varying degrees throughout the last three years, mostly up and down due to a targeted U.S. bombing campaign of those guys, but interestingly, they have signed peace treaties and non-combatant treaties with the Hadi regime, as well as the Southern Movement, often to focus their collective fighting against the Houthi rebels.

Zooming out, we can see where this gets international attention. Yemen has a strategic location in that it can control access in and out of the Red Sea from the Indian Ocean, which ultimately can connect the Indian Ocean to the Mediterranean Sea, so it’s a very important trade route. With that, the Hadi government that hosts, or is the internationally recognized government, rather, is primarily backed by Saudi Arabia, and that is both funding airstrikes, arms, overt political support, and things of that nature, while the Houthi rebels are backed by Iran, and that’s pretty widely known. It’s a little more subversive in Iran’s methods of supporting the group, and arms sales or arms that they’ve donated to the cause have largely been deemed to be illegal with that. The Southern Movement also has backing from the UAE, but has also signed non-combatant treaties with the Hadi regime and the Kingdom of Saudi Arabia.

Interestingly, the collective treaties that they’ve signed — the Hadi regime, southern government or Southern Movement, and Al-Qaeda — have all sort of flown in the face of Saudi’s alliance with the U.S. and their commitment to fight terrorism and battle extremism in the region, which also has the U.S. interests there to not only help or encourage Yemen’s stability, to eliminate the threat of extremism, but also to guarantee international shipping lanes, because a more stable peninsula helps guarantee U.S. enterprise and military stability in the region.

Dave Bittner:

Well, let’s start off by establishing what “normal” would be there, or as close to normal as possible. When Yemen was not in a war situation, what was the state of the internet there?

Winnona DeSombre:

Prior to the civil war, and even during the war today, you have a series of major players. You have TeleYemen, which is one of the larger backbone providers of Yemen, but the main ISP there is a company called YemenNet. It was managed mainly out of Yemen’s capital, Sana’a, and currently still provides a large majority of the IP space to the country. You also have mobile providers who actually use some of the IP space provided by TeleYemen and YemenNet, so really, it’s those two players. After the civil war started and after the Houthis took control of the capital, Sana’a, the Hadi regime that was pushed out decided that they were going to create their own ISP, and just this June, June 2018, they put their own ISP up, AdenNet.

Dave Bittner:

What prompted the creation of that new ISP? Was the civil war causing trouble with the existing infrastructure?

Greg Lesnewich:

Yeah, so interestingly, when the Houthis gained control of YemenNet when they seized the capital, they went on a large campaign of degrading internet service, particularly in a disinformation way, in preventing access to websites that talked about Houthi troop movements or revealed their battle plans or things like that. And also, your classic social media and messaging domains — Skype, Signal, WhatsApp, Twitter, Facebook, those sorts of things — that impacted the Hadi government and ultimately, cut out internet service to a large portion of the country.

I believe they severed 80 percent of the fiber optic cables, some of which were eventually fixed, but it effectively led the Hadi regime to be left out in the dark, and not having internet access that wasn’t either Houthi-controlled or internet access at all, due to the wires being cut. It was this very interesting look at the physical manifestation of a cyber war to say, “Hey, the internet is valuable, and we need access to it enough that we’re going to go work with external third parties, including Saudi Arabia and Chinese companies, to go and create a whole new set of infrastructure in AdenNet to regain access to the internet and somewhat, the outside world.”

I think with that, too, there is an aspect to it that the land holdings in the country largely reflect — control of the internet. And so, interestingly, there is a campaign that Saudi Arabia has encouraged its coalition and allies to take part in — surrounding a city on the western coast of Yemen called Al-Hudaydah. There is one of the major submarine cables that provides internet access and telecommunication access to Yemen that doesn’t cross through a Saudi Arabian border. There are a number of other cable landing sites in the country that are all under the Hadi government control, and so interestingly, if Al-Hudaydah is seized by the Hadi regime, it will effectively cut off the Houthi access to internet, and it will give them access to the direct wires that feed YemenNet that the Houthi rebels currently control.

It’s this very interesting back and forth of the internet as a goal, sort of a collateral damage of, “We now have control of this city. We have control of the internet now by de facto, too, so what do we do with that? Can we maintain it?” A lot of the time, the answer’s been, “No,” and that’s led them to have more brutish — “them” being the Houthis — have a more brutish response to controlling information access there. Then, with the pushback, obviously, they’ve done a lot with their internet access there to prop themselves up online as the legitimate government in Yemen, and a lot of that would be undone if they were to lose access to YemenNet and ultimately, control the internet there.

Dave Bittner:

Take me through what’s going on in terms of their ability to control the information that’s flowing. What are we talking about when it comes to censorship?

Winnona DeSombre:

We were able to find a couple different facets of censorship, and also censorship bypass, in Yemen, the first one being something that you’d think was a little minor, but still counts as subversion of the Hadi government. Because the current Houthi regime has full control of the .ye top-level domain space, they’re able to completely revamp all of the government websites, so most of the current government websites have completely expunged every mention of the previous Hadi regime and shows the Houthi government as the legitimate government in Yemen, at least online.

Then, you also have the use of Netsweeper. In 2015, the Citizen Lab pushed out a great report about how the Houthi regime was using Netsweeper to control content, mainly through DNS and web proxies, which this tool specializes in, and we’ve been able to also find remnants of that still online. On the other side, though, you also see traffic originating from Yemen attempting to bypass the censorship, so there are individuals within the country that are fully aware of the censorship efforts, and so you see the use of Tor Browser, and certain VPNs like OpenVPN and IPSEC VPN tunneling. You also see a couple … Oh, not a couple, a very large number, of home and business routers within Yemen using DNS recursion, which would get around the two large caching servers within Yemen that may also be designed to censor content.

Dave Bittner:

What’s the reality of this on the ground, in terms of availability and of how people are actually using the internet? Do they still have access, or what’s the ground truth there?

Winnona DeSombre:

From our research, just to give a little bit of background, dial-up internet was originally introduced to Yemen in 1996, and as of 2017, about a fourth of the population has internet access. That being said, access is fairly relative when you live in a war zone. Yemen ranks as one of the slowest countries … I think the slowest countries in terms of user bandwidth, and due to the airstrikes that are prevalent around the region, certain hosts that could be up one day could be completely obliterated the next.

Dave Bittner:

Is there any shift that you can see in the types of data that’s flowing?

Winnona DeSombre:

One interesting thing that we did see was, in our look at the amount of malware samples present from the country, we saw an interesting increase in VirusTotal samples — from 13 samples between 2015 to 2017, to a whopping 164 from January to October 2018 — and a majority of these are Android-based, suggesting that perhaps a decent number of Yemeni citizens are using mobile as a way to rely on accessing the internet.

Dave Bittner:

Yeah, that’s interesting. Now, would the mobile access still be relying on those submarine trunk lines in and out of the country?

Greg Lesnewich:

Yeah, to some degree. There’s also a number of satellite providers in Yemen that, due to their up-and-down nature and unreliability at finding definitive IPs that they use in Yemen, with Yemeni citizens, we did not take into consideration those things, or the satellite provider specifically. But most of the mobile providers in Yemen specifically use YemenNet, the Houthi-controlled ISP, so most of that seems to flow through submarine cables.

Dave Bittner:

Now, it’s interesting, some of the outside providers that they’ve chosen to partner with to get this secondary system up and running — companies like Huawei, who certainly have a checkered reputation with some other nations around the world.

Winnona DeSombre:

Yes, absolutely. It is very interesting, the choice of Huawei as the main router provider for AdenNet. That being said, China is more than willing to provide these routers, primarily due to its preexisting defense ties with Saudi Arabia. Remember that the Hadi regime has aligned itself with Saudi Arabia within the region, and so that preexisting defense tie with China could come into play, but more realistically, this also ties into China’s wider Belt and Road Initiative, so the massive series of infrastructure projects China has undertaken to project its power globally, and a decent number of their infrastructure projects revolve around the Bab al-Mandeb strait, which is right in between their new military base in Djibouti and the more war-torn areas of Yemen. If the shipping lanes were to be compromised, that would present a larger risk to the Chinese, so their interest in stability within that wider region has to do with their economic and political interest as well.

Dave Bittner:

Now, one of the things that you tracked in the report is some coin mining activities, some crypto coin mining. What did you discover there? I understand this is an ongoing, evolving thing, from the report.

Winnona DeSombre:

We actually found approximately 973 hosts within Yemen using or running a cryptocurrency mining service, Coinhive. Now, this is a JavaScript-based Monero miner released in early 2017, a full two years after the Houthi rebels took control of YemenNet. All 973 hosts are MikroTik routers belonging to YemenNet, and 213 of those hosts share roughly the same domain, dynamic.yemennet.ye, so again, that same .ye TLD that the Houthis have control of.

Of course, this also coincides with a previously reported upon set of campaigns by Avast in mid-October, in which multiple cryptojacking campaigns, using a widely available exploit leveraging CVE-2018-14847, would allow an attacker to take advantage of the vulnerability and inject JavaScript code in order to run Coinhive on compromised routers. So, while we were able to determine approximately 400 of those routers to be involved in Yemen that were also involved with previously more widely-targeted campaigns mentioned in the report, the other half have thus far been left without any link to previous campaigns. A third of those hosts are actually located within Sana’a, the Houthi-held capital, and site keys generated by those accounts have been reused for multiple hosts. Interestingly, while all of the infected routers are part of the YemenNet network, identical MikroTik routers owned by the other backbone provider, TeleYemen, have not been infected.

When you have all of these various data points, there are a couple of things that could be happening here. The first possibility is that the Houthis are possibly using their own hosts and their control of these YemenNet hosts to mine cryptocurrency to provide support, monetarily, to their newly functional regime. They would be able to convert the cryptocurrency into hard currency, which would allow them to provide aid, arms, and ammunition to their forces. On the other hand, because TeleYemen has not been infected, it’s also entirely possible that this was a targeted campaign, perhaps either criminally based to generate funds, or designed to completely slow down the IP space of YemenNet, or the number of hosts to YemenNet, to some sort of a halt. We’re uncertain as to which side is more likely, but either way, it is proof of some individual affecting an important ISP within the region to establish some gain, be it monetarily or militarily.

Dave Bittner:

That’s an interesting wrinkle, the potential for crypto coin mining to be used as a funding source for war.

Winnona DeSombre:

Absolutely. It’s honestly fascinating.

Dave Bittner:

What are the take-homes for you? With the things that you’ve observed here, what sorts of insights do you have on the role that internet access plays in an ongoing conflict like this?

Greg Lesnewich:

I think the first takeaway that I have is that internet access now really, really matters for both, obviously, in-country communication, but also for these groups to either communicate with their allies externally, or publicize, and the activists, and politicize their cause, basically, online. We, with a colleague of ours, Dan O’Keefe, also presented at CyberwarCon about Houthi information operations specifically and methods that they try and supplant or subvert U.S. support for Saudi Arabia and arming the Hadi regime, and so, having internet access, obviously, is key to developing a Twitter campaign like that.

One of the things that I took away from this research was the importance of internet enough that even in a war zone, when life and limb are in short supply, and you’re focused on living day to day, and avoiding airstrikes, and avoiding skirmishes and things like that, even as normal citizen or a noncombatant, internet access is still important enough that gaining access to it via strategic fighting is important to them, and it’s also important enough that they will establish a new ISP and generate a whole new internet backbone infrastructure to regain access to the internet.

I think it shows its importance as a strategic goal, and I think broadening our scope and looking out further, seeing … I would imagine that we would see, maybe, similar activity in a country like Iraq or a country like Syria, where there is ongoing conflict in a war zone, and also in a country that has not had a high amount of infrastructure or economic development to have a really, really strong internet presence, or, I guess, what you’d call resilient infrastructure. I think that the internet access in Yemen has shown itself as a very basic necessity for people there, both for general communications, but also for information operations, externally and internally, for these groups to legitimize themselves to the outside world. If internet access is cut off strategically, or even temporarily, they have a vested interest in keeping it up so that they can maintain the international community’s attention to their cause and ultimately decide whether or not that they are the legitimate government of Yemen or not.

Dave Bittner:

Our thanks to Recorded Future’s Winnona DeSombre and Greg Lesnewich for joining us.

The research is titled “Underlying Dimensions of Yemen’s Civil War: Control of the Internet.” You can find it on the Recorded Future website.

If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.