A long-running Turkish cyber espionage campaign has compromised 25 websites linked to the Kurdish community, exposing sensitive user data and tricking visitors into installing malicious Android applications.
The campaign, dubbed SilentSelfie, has been active for over a year and a half, according to cybersecurity firm Sekoia, which disclosed the full extent of the breach on 25 September.
The attack is believed to have started in December 2022, targeting websites related to Kurdish media, the Kurdish-led Democratic Autonomous Administration of North and East Syria (AANES), and political organisations.
The malicious scripts, deployed in four distinct variants, were designed to collect information such as user locations and images from the device’s selfie camera. Some scripts redirected users to download fake Android applications, which could steal contacts, location data and other personal information.
“The attack was designed to gather sensitive data from users, with the most complex variant capturing images and redirecting selected users to install malicious APKs,” explained security researchers Felix Aimé and Maxime A.
Among the affected websites are major Kurdish news outlets like RojNews, where users were directed to download an app embedded with malicious code. Once installed, the app could secretly collect a range of data, including contact lists, location details and files from the user’s device. The app’s spying features were activated whenever the user opened it, sending information back to a remote server.
Although the exact method of compromising these websites remains unclear, the scale of the attack suggests a coordinated effort, potentially involving a state-backed actor. Researchers have raised the possibility of the Kurdistan Regional Government (KRG) of Iraq being involved, particularly in light of the arrest of RojNews journalist Süleyman Ahmet by KRG’s ruling Kurdistan Democratic Party (KDP) forces last year. However, no definitive attribution has been made.
The KDP, which has been a long-standing ally of Turkey, has played a key role in assisting Turkish military operations in Iraqi Kurdistan, particularly targeting Kurdistan Workers’ Party (PKK) strongholds. However, this alliance has weakened the KDP’s standing within the Kurdish community, as many see the party as complicit in Turkey’s efforts to suppress Kurdish autonomy. Meanwhile, the rival Patriotic Union of Kurdistan (PUK) has gained increasing support, positioning itself as a defender of Kurdish interests against foreign interference. This dynamic may significantly impact the upcoming elections in the KRG, with the PUK potentially benefiting from growing dissatisfaction with the KDP’s policies.
Medya News Targeted by Related Attacks
While it is unclear if Medya News has been directly affected by the SilentSelfie campaign, we have experienced similar attacks in the past. In June, we were alerted to vulnerabilities in our system, prompting immediate security measures to address the issue.
Earlier Turkish Cyber Attacks
This is not the first time Turkish-backed cyber espionage has targeted Kurdish groups. The notorious cyber espionage group ‘Sea Turtle’ has been conducting covert operations against Kurdish opposition in Europe, the Middle East, and North Africa. Since 2017, Sea Turtle has hacked websites and internal networks of media, telecommunications and IT sectors connected to the Kurdish liberation movement. Their modus operandi, involving DNS hijacking, has enabled the group to monitor traffic and access sensitive information.
What this means for website visitors
For visitors to the compromised websites, the risks are substantial. Users’ locations, public IP addresses and even images from their devices could have been stolen. If you were prompted to download an Android app while visiting these sites, you may have unknowingly installed spyware, granting attackers access to your private information.
If you have visited one of these sites—especially from an Android or iPhone device—your data may have been compromised. Kurdish users are particularly vulnerable, as the Turkish government has a long history of conducting cyber espionage against Kurdish groups, viewing them as security threats. The stolen information could be used for surveillance, tracking or even arrests.
Visitors are advised to review the apps installed on their devices and delete any suspicious ones. Checking app permissions, particularly those requesting access to contacts, location or storage, is crucial. If you suspect your device was infected, performing a factory reset may be necessary to remove the malware completely.
Protecting yourself and your website in the future
For users:
Avoid downloading apps from unknown sources, especially those prompted through suspicious links.
Regularly check your device’s permissions to ensure no app is accessing data it shouldn’t.
Use a VPN to mask your IP address when visiting sensitive websites.
Keep software updated on all devices to protect against vulnerabilities.
Use secure browsers and enable settings that block websites from tracking your location and accessing your camera.
For website administrators:
Audit your website’s security regularly to identify potential vulnerabilities that could be exploited by attackers.
Implement SSL encryption to secure data transmission on your website.
Use multi-factor authentication for administrative access to prevent unauthorised logins.
Regularly update server software to mitigate the risk of known vulnerabilities being exploited.
Monitor for suspicious scripts or unusual activity on the website, particularly obfuscated code designed to steal user data.
Moving forward, Kurdish media and political organisations must remain vigilant, given the long history of cyber espionage against the Kurdish community. By adopting proactive security measures, website administrators can reduce the risk of future attacks and help safeguard their visitors’ privacy.
