® 
Watering Hole Attack
Definition
A watering hole attack is a targeted attack where cybercriminals infect websites frequently visited by intended victims, then wait for victims to visit the infected site.
A watering hole attack is a targeted cyberattack where attackers infect websites frequently visited by intended victims, waiting for those victims to visit the compromised site. The name refers to predators waiting at a watering hole for prey.
How does a watering hole attack work?
The attacker identifies websites popular with the target: industry portals, trade websites, supplier sites or specialist forums. The attacker then compromises the website through a CMS vulnerability, web server flaw or plugin exploit. Malicious code is placed on the compromised page, infecting visitors via drive-by downloads, browser exploits or social engineering. Malware can be selectively delivered: only visitors from specific IP ranges or organisations are targeted, reducing detection chances.
Notable watering hole attacks
The attack on the Polish Financial Supervision Authority website (2017) targeted bank employees. The Havex campaign compromised industrial control system vendor websites to infiltrate OT environments. APT groups such as APT10 and OceanLotus regularly use watering hole attacks in espionage campaigns.
Impact on organisations
Watering hole attacks are particularly difficult to detect because the compromised website is a legitimate, trusted source. Employees visit the site as part of normal work and are infected without taking suspicious actions. The attack may use zero-day exploits. NIS2 requires adequate web security and threat monitoring.
Protection
Keep browsers and plugins updated to prevent known exploits. Use browser sandboxing and web content filtering. Implement DNS filtering blocking known malicious domains. Monitor outbound traffic for suspicious connections after website visits. NDR can detect anomalous traffic. Threat intelligence identifies compromised websites.
How DEFION helps
DEFION monitors via Managed Threat Intelligence for indicators of compromised websites relevant to the client's sector. The SOC team detects suspicious traffic that may indicate a watering hole infection.