Attacks/Breaches

8/17/2016
05:08 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Operation Ghoul Targets Industrial, Engineering Companies In 30 Countries

Attack campaign appears to be more about financial gain than industrial theft or sabotage, however.

A new wave of targeted attacks against mostly small- and midsized businesses in the engineering and industrial sectors worldwide has hit some 130 organizations thus far.

Operation Ghoul, the name researchers at Kaspersky Lab have given the attacks, uses a combination of off-the shelf malware tools and spear-phishing emails to infiltrate systems and steal data from them, the security firm said in an alert this week detailing its discovery.

Kaspersky Lab so far it has identified a total of 130 organizations across 30 countries that have fallen victim to the campaign, many of them in the Middle East where Operation Ghoul appears to be most active.

While the targeting of organizations in the industrial and engineering sectors typically would suggest that cyber espionage or sabotage is the primary motive, Operation Ghoul appears to be more focused on financial gain. 

“Since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties,” said Mohamad Amin Hasbini, a senior security researcher for Kaspersky Lab on the company’s blog.

The Operation Ghoul campaign appears to have started in March 2015, using spear-phishing emails with malicious attachments from HawkEye, an underground provider of a wide range of ready-to-use malware tools.

The compressed executables used by Operation Ghoul include keystroke loggers and tools for stealing passwords, FTP server credentials, clipboard data, and user account data from browsers and certain messaging and email clients.

Information gathered from compromised systems is sent to a remote command and control server from where it is harvested and sold in the black market. The IP address belongs to a system running multiple malware campaigns, Hasbini said.

In addition to engineering and industrial companies, Operation Ghoul has also targeted manufacturing, pharmaceutical, and education organizations in countries like the United Arab Emirates, Egypt, Saudi Arabia, Pakistan, Germany, and Spain.

The most recent attacks have been more focused in nature, and directed at organizations in specific countries. About 70% percent of the attacks that Kaspersky Lab researchers observed in June, for instance, targeted organizations in the United Arab Emirates. A majority of the email lures there include a malicious attachment purported to be from a major UAE bank.

Though the malware used in the attacks are fairly simple, Operation Ghoul has been successful for the most part in its attacks, Hasbini noted.

Attacks on industrial and engineering companies often are focused on gaining access to critical industrial control systems or for stealing intellectual property and trade secrets for competitive gain. In many cases, the threat actors behind such campaigns have been nation-state actors and organized cyberattack groups.

But Operation Ghoul has taken a different tack. Unlike highly targeted attacks by state-sponsored actors, the group behind Operation Ghoul might attack any company, Kaspersky Lab said. “Companies that are not prepared to spot the attacks will sadly suffer,” Hasbini said.

Hasbini, meanwhile, has posted indicators of compromise on the Kaspersky Lab blog that organizations can use to check their systems for possible infection.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.