The Financial Motive Behind Houthi Spyware Hacks

July 16, 2024
Ari Heistein  —  Non-Resident Fellow

Since 2023, the Counter Extremism Project augmented its resources on the Houthi terrorist group and its leaders by releasing a series of reports highlighting key aspects of the organization’s functionality and operations: a structure that allows the Houthis to procure weapons and ammunition, suppress women, journalists, and religious minorities, systematically divert humanitarian aid, and exploit Yemen’s telecommunication infrastructure as a source of revenue and intelligence. This new blog series on the Houthi movement will highlight the key points of CEP’s larger analysis.

This first entry analyses the misuse of spyware by the Houthis, targeting humanitarian organizations in Yemen.

The Houthis’ absolute authority over telecommunications infrastructure in the areas under their control in Yemen provides them with surveillance capabilities that are supplemented by the deployment of spyware to target both their regional adversaries as well as international humanitarian organizations. Spyware is used by the Houthis to hack mobile devices themselves, allowing access to: on-device information that has not been sent over Houthi-controlled networks; the encrypted communications content which cannot be collected using traditional wiretap methods; and device sensors (microphone, camera) which collect real-time intelligence on the targets. Recent reports by Recorded Future and Lookout indicate that this aspect of the Houthi surveillance threat is growing.

While Lookout exposed Houthi efforts to hack mobile devices associated with military targets, in particular in Yemen, Saudi Arabia, Egypt, and Oman, Recorded Future identified instances of spyware use against humanitarian workers operating in Yemen. In both cases, the group appears to be using modified versions of commodity spyware rather than their own homegrown cyber tools, but seem to be using separate tools for the two different types of targets. While Recorded Future had previously identified instances where humanitarian workers were targeted by a Houthi threat actor which they termed OilAlpha, in the latest report the cyber intelligence firm noted that the list of Houthi targets has expanded to include the Norway Refugee Council and possibly the United Nations (UN) or the World Food Program (WFP). 

The report of increasingly aggressive surveillance of humanitarian organizations comes just weeks after dozens of employees of the United Nations and international organizations were arrested by the Houthis on trumped-up charges that they are undermining the terror group in coordination with U.S. and Israeli foreign intelligence agencies. These mass arrests were the culmination of a set of policies by the international community that have not sufficiently challenged the Houthis’ systematic interference in humanitarian work over the past decade. In particular, the lack of any significant consequences following the Houthis’ arrest of Save the Children employee Hisham al-Hakimi, and his subsequent death in Houthi custody in 2023, have given an impression of impunity and failed to deter further targeting of aid workers. Indeed, long before it had the ability to collect data via spyware, the Security and Intelligence Service (SIS), the intelligence arm of the Houthis, launched low-tech efforts to gather intelligence on UN and other international organizations —operations which included recruiting women to develop kompromat on aid workers. 

While the latest report by Recorded Future plays an important role in exposing the worrying rise of Houthi hacking, it does not fully contextualize the use of spyware against aid workers. For example, the report states that “as we have not identified a financial motive for this activity, we suspect OilAlpha’s operations to be highly likely associated [sic] with pro-Houthi surveillance activity.” But it is impossible to disentangle Houthi surveillance of humanitarian organizations from their efforts to control and extort them. 

Based on findings from the latest CEP report on Houthi diversion of humanitarian assistance, the terror group’s Supreme Council for the Management and Coordination of Humanitarian Affairs and International Cooperation (SCMCHA) is the primary interface for UN and other international humanitarian organizations operating in Yemen, while SIS serves as SCMCHA’s enforcers. What this means in practice is that SIS collects intelligence on these humanitarian operators through a variety of different means and then uses this information, along with the threat of harm to humanitarian projects or aid workers, in order to extract concessions for personal enrichment or to line the terror group’s coffers. Presumably, OilAlpha’s efforts to hack the phones of aid workers was done in coordination with the ongoing SIS effort to monitor and terrorize aid workers. So while the malicious applications used to hack humanitarian employees may not have directly drained any bank accounts, they are part of a larger, ongoing extortion campaign targeting humanitarian organizations in Yemen. 

It is precisely because of this ongoing Houthi pressure campaign against aid workers in Yemen that many of the recommendations included in the latest CEP report emphasize the importance of introducing greater transparency and oversight for humanitarian assistance in Yemen. The research for this report could not identify any humanitarian organization operating in Yemen that indicated the amount of aid diverted by the Houthis, and most organizations appeared to minimize the problem in their audits and annual reports. The failure of the international community to demand greater oversight and transparency from aid organizations makes it all too easy for humanitarian organizations to concede to Houthi threats. This situation bears the risk of ever greater diversion of aid funds by the Houthis. 

Requiring greater transparency and oversight of methods of aid allocation and delivery in Yemen would reduce the temptation faced by humanitarian organizations to accommodate Houthi demands. The report outlines that over the past decade, humanitarian organizations in Yemen have agreed to pay monthly salaries to Houthi officials, used the Houthis’ preferred, affiliated implementation partners, (creating additional routes for aid diversion), conducted procurement on behalf of the Houthis, and even included senior SIS officials on the staff of UN projects. 

Some argue that aid delivery to Yemen’s neediest is still necessary, even if significant amounts are diverted. However, at minimum, donors should be made fully aware of this situation and provided with the respective data indicating the amount that actually ends up in Houthi coffers. In addition, even in the unlikely event that humanitarian organizations have provided accurate diversion statistics to government donors in confidence, it is worth recalling that Western governments (U.S., UK, Germany, etc.) are using taxpayer funds to support humanitarian work in Yemen. Taxpayers in donor countries – those who are ultimately footing the bill – should also have the right to any previously undisclosed information on Houthi aid diversion in Yemen. Taxpayers, donors, and humanitarian organizations should remain conscious of the fact that aid diverted to the Houthis fuels the operations of a terrorist group: one that oppresses the population under its control and is increasingly disrupting international shipping in the Red Sea.

Some who work in the field of humanitarian assistance fear that transparency will frighten donors, enrage taxpayers, and ultimately hinder their efforts.  Moral certainty about the value of those efforts can cause workers to brush aside concerns about transparency, and this in turn leads to a lack of accountability, all while the Houthis continue to harass and extort aid workers. But minimizing or failing to disclose the full extent of Houthi aid diversion not only deceives donors, it also provides cover for a brutal terrorist organization—effectively aggravating and prolonging the humanitarian crisis they so desperately wish to resolve.

 

Daily Dose

Extremists: Their Words. Their Actions.

Fact:

On May 8, 2019, Taliban insurgents detonated an explosive-laden vehicle and then broke into American NGO Counterpart International’s offices in Kabul. At least seven people were killed and 24 were injured.

View Archive