Written by Sean Lyngaas

The war in Yemen has been accompanied by a digital conflict in which combatants have used surveillance and cryptocurrency to their strategic advantage, new research shows.

“[T]he dynamics of the Yemeni civil war are manifesting themselves online through a struggle over Yemeni access, use, and control of the internet,” Boston-based Recorded Future wrote in a blog post about the research on Wednesday.

As the Yemeni conflict gains greater attention in Washington, the research highlights how cyber-operations have become intrinsic to kinetic wars. In Yemen, the internet has become “another front,” Recorded Future threat intelligence analyst Allan Liska told CyberScoop.

The conflict, which has left tens of thousands of people dead and created a widespread famine, has been fought by Houthi rebels, backed by Iran, and the Hadi government, supported by Saudi Arabia. U.S. intelligence and weapons have been used by the Saudi-led coalition.

The new research highlights the digital portion of the conflict. When the Houthis seized Yemen’s capital of Sanaa in 2014, they also took control of the country’s internet backbone, updating Yemeni government websites to reflect their agenda.

“Seizing control of the internet assets lends a legitimacy to the Houthi forces that otherwise wouldn’t be there,” Liska told CyberScoop. “They’re still not internationally recognized, but within country they have that legitimacy.”

To counter the Houthi-controlled YemenNet, the Hadi government set up their own internet service provider (ISP), known as AdenNet, in June.

Recorded Future’s study of both ISPs turned up vulnerabilities that were ripe for exploitation. For example, YemenNet had a firmware backdoor in a router made by Chinese company Tenda.

“If the name server is connected to other infrastructure within YemenNet, which it is likely to be, both state and non-state attackers could leverage this backdoor to infiltrate the ISP,” the researchers wrote in a blog.

The inception of AdenNet coincided with a spike in software samples from Yemen that were submitted to the VirusTotal platform. While just 13 such samples were found between 2015 and 2017, 164 samples showed up in 2018, about half of which were malicious. Researchers did not find a clear cause for that swell in malware, but said it could be because of greater threat activity or the fact that AdenNet increased internet connectivity in Yemen.

Winnona DeSombre, a threat intelligence researcher at Recorded Future, told CyberScoop that it is unclear if the malware observed has been used for either criminal or espionage purposes in Yemen. However, “the intent for criminals to take advantage of people in a warzone, as well as nation-states to do espionage … is there,” she said.

The Yemeni war has featured other modern cybertools such as cryptocurrency. As the conflict grinds through its fourth year, evidence suggests that the Houthi rebels have turned to cryptocurrency to raise money. The Recorded Future team found 973 hosts of the Coinhive mining service on YemenNet, the majority of which are based in the Houthi stronghold of Sanaa.

DeSombre compared the Houthi cryptocurrency scheme to those of the North Korean government.

“This is another particularly internationally isolated regime trying to use alternative currencies to bolster themselves economically,” DeSombre said at CYBERWARCON conference in Arlington, Virginia, where Recorded Future presented its research.