Attacks/Breaches

8/17/2016
05:08 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Operation Ghoul Targets Industrial, Engineering Companies In 30 Countries

Attack campaign appears to be more about financial gain than industrial theft or sabotage, however.

A new wave of targeted attacks against mostly small- and midsized businesses in the engineering and industrial sectors worldwide has hit some 130 organizations thus far.

Operation Ghoul, the name researchers at Kaspersky Lab have given the attacks, uses a combination of off-the shelf malware tools and spear-phishing emails to infiltrate systems and steal data from them, the security firm said in an alert this week detailing its discovery.

Kaspersky Lab so far it has identified a total of 130 organizations across 30 countries that have fallen victim to the campaign, many of them in the Middle East where Operation Ghoul appears to be most active.

While the targeting of organizations in the industrial and engineering sectors typically would suggest that cyber espionage or sabotage is the primary motive, Operation Ghoul appears to be more focused on financial gain. 

“Since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties,” said Mohamad Amin Hasbini, a senior security researcher for Kaspersky Lab on the company’s blog.

The Operation Ghoul campaign appears to have started in March 2015, using spear-phishing emails with malicious attachments from HawkEye, an underground provider of a wide range of ready-to-use malware tools.

The compressed executables used by Operation Ghoul include keystroke loggers and tools for stealing passwords, FTP server credentials, clipboard data, and user account data from browsers and certain messaging and email clients.

Information gathered from compromised systems is sent to a remote command and control server from where it is harvested and sold in the black market. The IP address belongs to a system running multiple malware campaigns, Hasbini said.

In addition to engineering and industrial companies, Operation Ghoul has also targeted manufacturing, pharmaceutical, and education organizations in countries like the United Arab Emirates, Egypt, Saudi Arabia, Pakistan, Germany, and Spain.

The most recent attacks have been more focused in nature, and directed at organizations in specific countries. About 70% percent of the attacks that Kaspersky Lab researchers observed in June, for instance, targeted organizations in the United Arab Emirates. A majority of the email lures there include a malicious attachment purported to be from a major UAE bank.

Though the malware used in the attacks are fairly simple, Operation Ghoul has been successful for the most part in its attacks, Hasbini noted.

Attacks on industrial and engineering companies often are focused on gaining access to critical industrial control systems or for stealing intellectual property and trade secrets for competitive gain. In many cases, the threat actors behind such campaigns have been nation-state actors and organized cyberattack groups.

But Operation Ghoul has taken a different tack. Unlike highly targeted attacks by state-sponsored actors, the group behind Operation Ghoul might attack any company, Kaspersky Lab said. “Companies that are not prepared to spot the attacks will sadly suffer,” Hasbini said.

Hasbini, meanwhile, has posted indicators of compromise on the Kaspersky Lab blog that organizations can use to check their systems for possible infection.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.