Dubbed ‘Operation Ghoul’, Kaspersky Lab researchers have uncovered a new wave of targeted attacks against industrial and engineering companies around the world. The crime group uses spear-phishing emails and malware based on a commercial spyware kit, in order to access valuable business data stored in the victims’ networks.
Over 130 organisations from 30 countries have been successfully attacked thus far.
The researchers uncovered the hack in June 2016, when they spotted a wave of spear-phishing emails with malicious attachments. These were sent mostly to top and middle-level managers in industrial and engineering companies. The emails appeared to be coming from a bank in the UAE, and looked like payment advice from the bank with an attached SWIFT document. This document contained malware. Upon further research, Kaspersky determined that the criminal group was one that they had been tracking since March 2015, and this was merely their latest attack.
According to the researchers, the malware in the attachment is based on the HawkEye commercial spyware that is being sold on the Darkweb. After installation it collects data from the victim’s PC such as:
- Keystrokes
- Clipboard data
- FTP server credentials
- Account data from browsers
- Account data from messaging clients
- Account data from email clients
- Information about installed applications
This data is then sent to the group’s command and control servers. Based on information received from the sinkhole of some command and control servers, Kaspersky has determined the majority of victims are companies in the industrial and engineering sectors, however others include shipping, pharmaceutical, manufacturing, trading companies, educational organisations and others.
Any valuable information found is sold on the black market, according to the researchers.
“Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts,” said Mohammad Amin Hasbini, security expert at Kaspersky Lab.
“Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer.”
To protect your company from Operation Ghoul and other similar threats, Kaspersky Lab recommends the following:
- Educate your staff so they are able to distinguish a spear phishing email or a phishing link from real emails and links
- Use a proven corporate grade security solution, in combination with anti-targeted attack solutions, capable of catching attacks by analysing network anomalies
- Provide your security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as indicators of compromise and YARA rules