Iran dominates Yemeni cyberspace
Iran's support to the Houthi
militias in Yemen has been in all forms and all levels whether the media,
politics and military assistance. The support extends to helping the terrorist
militias control the cyberspace in Yemen.
Recorded Future has observed an increase in the deployment of network control devices on YemenNet, the ISP controlled by Houthi forces. Recorded Future did not observe substantive changes on the Yemen top-level domain (TLD) space, or on either major internet service provider in Yemen.
Recorded Future, via Shodan searches, identified the deployment of two additional Netsweeper devices on YemenNet on two IP addresses: 82.114.160.93 and 82.114.160.94. The device identified on 82.114.160.98 was still up at the time of this analysis. The re-emergence of censorship devices on the Houthi-controlled network may be a sign of momentary stability in Yemen’s conflict, as operators may now have the time and safety to make the devices operational. Houthi forces have previously breached WhatsApp groups, and local contacts indicate that the group continues to have access to private chats, likely via individual mobile compromise or by enticing individuals to provide them data.
Recorded Future could not confirm the ongoing censorship of traffic in Yemen due to Netsweeper installations, which is likely a combination of low volumes of traffic in Yemen as well as a lack of monitoring capability and visibility within YemenNet. Rapid7’s National Exposure Index found that although Yemeni ASNs have allocated 135,168 IP addresses, only 17,934 addresses were assigned, indicating low usage.
General internet usage appears low in Yemen, as GreyNoise data found only 538 total hosts observed in the country, which is a low number of hosts in a country of Yemen’s size and IP allocation. Comparatively, Shodan detected a total of 44,451 devices in the country, but no data indicates that they are being used.
DomainTools data indicates that there are now 1,184 .ye domains (Yemen’s TLD) — a minor increase of 32 domain purchases. Recorded Future did not observe any of these domain registrations. The TLD remains under the administration of the Houthis and YemenNet. This control of the TLD allows the Houthis to pose themselves as the legitimate administrators of Yemen to the outside internet.
Recorded Future observed in Yemen — with control of the internet infrastructure and Yemen TLD space, Houthi forces attempted to characterize Yemen as a Houthi country to the world outside. Recorded Future suspects that the Bangladeshi government may be attempting to control the external narrative of the country’s internal affairs in a similar manner as exercised in Yemen.
Kamel al-Khoudany, a leader of General People's Congress, told THE REFERENCE that the Houthi militias are spying on the calls and messages of users to get information about activists, politicians and ordinary citizens.
“The Houthis have forced telecommunication companies to violate the privacy of Yemenis. The objective is to arrest people,” al-Khoudany said.
“The spying also aims to foil any military action by the Yemeni national army. The Houthis are using the telecommunications and Internet companies to spy on the Yemeni people. This is a clear violation of the law and personal life,” he added.
