Sophisticated Watering Hole Attack

Google’s Project Zero has exposed a sophisticated watering-hole attack targeting both Windows and Android:

Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). The hackers delivered the exploits through watering-hole attacks, which compromise sites frequented by the targets of interest and lace the sites with code that installs malware on visitors’ devices. The boobytrapped sites made use of two exploit servers, one for Windows users and the other for users of Android

The use of zero-days and complex infrastructure isn’t in itself a sign of sophistication, but it does show above-average skill by a professional team of hackers. Combined with the robustness of the attack code—­which chained together multiple exploits in an efficient manner—the campaign demonstrates it was carried out by a “highly sophisticated actor.”


The modularity of the payloads, the interchangeable exploit chains, and the logging, targeting, and maturity of the operation also set the campaign apart, the researcher said.

No attribution was made, but the list of countries likely to be behind this isn’t very large. If you were to ask me to guess based on available information, I would guess it was the US—specifically, the NSA. It shows a care and precision that it’s known for. But I have no actual evidence for that guess.

All the vulnerabilities were fixed by last April.

Posted on January 20, 2021 at 6:00 AM5 Comments


ATN January 20, 2021 8:54 AM

… installs malware on visitors’ devices.
All the vulnerabilities were fixed by last April.

… and the malware injected is still in the device, if you are lucky the malware did not modify the BIOS/EFI and only a reformat/re-install Windows from blank disk would work (difficult for secured boot) – or else buy a new phone/PC.

Clive Robinson January 20, 2021 11:18 AM

@ ALL,

If you read through the blog posts from Google Project Zero something of a What! moment occures.

One of the bugs (chrome infinity) had already been found by a group using a fuzzer.

Because the POC for the fuzzer report did not turn the bug into a full exploit the Chromr team marked the bug as being low priority, when in fact it was a high prioroty.


Admittedly even with the code walk through[1] it’s not something that you would immediately spot as exploitable but who ever it was not just fpund the bug they worked out how to exploit it.

@ Bruce,

I would guess it was the US — specifically, the NSA. It shows a care and precision that it’s known for.

It might be from another of the Five-Eyes one of which is known (because of US politicos trade squabbles) to train NSA technicians… In the revealed case the training was on attacking a certain Chinese Telecoms network equipment company.


Soket January 21, 2021 5:45 PM

I sometimes wonder about the 0day window of opportunity and if that isn’t actually being exploited by security services, with high tech top manager alliances. Obviously google project zero researchers are highly skilled and their disclosure efforts seem to reveal a high ethical standard but nevertheless I keep wondering If they couldn’t be being exploited without their knowingless or maybe I’m just too naive. I guess that sets me in the high conspiracy spectrum, but I always have that voice on my head saying “Google Is Evil” given the amount of power and skilled people they have.

Ismar January 21, 2021 11:46 PM

Isn’t the life full of paradoxes- some of the Google security engineers may, in couple of years, end up working for NSA to help with another Zero Day, and perhaps even stranger some of the people who wrote the Zero days may eventually end up at Google or Microsoft

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.