Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/17/2016
05:08 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

‘Operation Ghoul’ Targets Industrial, Engineering Companies In 30 Countries

Attack campaign appears to be more about financial gain than industrial theft or sabotage, however.

A new wave of targeted attacks against mostly small- and midsized businesses in the engineering and industrial sectors worldwide has hit some 130 organizations thus far.

Operation Ghoul, the name researchers at Kaspersky Lab have given the attacks, uses a combination of off-the shelf malware tools and spear-phishing emails to infiltrate systems and steal data from them, the security firm said in an alert this week detailing its discovery.

Kaspersky Lab so far it has identified a total of 130 organizations across 30 countries that have fallen victim to the campaign, many of them in the Middle East where Operation Ghoul appears to be most active.

While the targeting of organizations in the industrial and engineering sectors typically would suggest that cyber espionage or sabotage is the primary motive, Operation Ghoul appears to be more focused on financial gain. 

“Since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties,” said Mohamad Amin Hasbini, a senior security researcher for Kaspersky Lab on the company’s blog.

The Operation Ghoul campaign appears to have started in March 2015, using spear-phishing emails with malicious attachments from HawkEye, an underground provider of a wide range of ready-to-use malware tools.

The compressed executables used by Operation Ghoul include keystroke loggers and tools for stealing passwords, FTP server credentials, clipboard data, and user account data from browsers and certain messaging and email clients.

Information gathered from compromised systems is sent to a remote command and control server from where it is harvested and sold in the black market. The IP address belongs to a system running multiple malware campaigns, Hasbini said.

In addition to engineering and industrial companies, Operation Ghoul has also targeted manufacturing, pharmaceutical, and education organizations in countries like the United Arab Emirates, Egypt, Saudi Arabia, Pakistan, Germany, and Spain.

The most recent attacks have been more focused in nature, and directed at organizations in specific countries. About 70% percent of the attacks that Kaspersky Lab researchers observed in June, for instance, targeted organizations in the United Arab Emirates. A majority of the email lures there include a malicious attachment purported to be from a major UAE bank.

Though the malware used in the attacks are fairly simple, Operation Ghoul has been successful for the most part in its attacks, Hasbini noted.

Attacks on industrial and engineering companies often are focused on gaining access to critical industrial control systems or for stealing intellectual property and trade secrets for competitive gain. In many cases, the threat actors behind such campaigns have been nation-state actors and organized cyberattack groups.

But Operation Ghoul has taken a different tack. Unlike highly targeted attacks by state-sponsored actors, the group behind Operation Ghoul might attack any company, Kaspersky Lab said. “Companies that are not prepared to spot the attacks will sadly suffer,” Hasbini said.

Hasbini, meanwhile, has posted indicators of compromise on the Kaspersky Lab blog that organizations can use to check their systems for possible infection.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Google Lets iPhone Users Turn Device into Security Key
Kelly Sheridan, Staff Editor, Dark Reading,  1/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16270
PUBLISHED: 2020-01-22
Samsung Galaxy Gear series before build RE2 includes the hcidump utility with no privilege or permission restriction. This allows an unprivileged process to dump Bluetooth HCI packets to an arbitrary file path.
CVE-2018-16271
PUBLISHED: 2020-01-22
The wemail_consumer_service (from the built-in application wemail) in Samsung Galaxy Gear series allows an unprivileged process to manipulate a user's mailbox, due to improper D-Bus security policy configurations. An arbitrary email can also be sent from the mailbox via the paired smartphone. This a...
CVE-2018-16272
PUBLISHED: 2020-01-22
The wpa_supplicant system service in Samsung Galaxy Gear series allows an unprivileged process to fully control the Wi-Fi interface, due to the lack of its D-Bus security policy configurations. This affects Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.
CVE-2019-10780
PUBLISHED: 2020-01-22
BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized user input being passed directly to the built-in Ruby Kernel.open method through BibTeX.open.
CVE-2019-10781
PUBLISHED: 2020-01-22
In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the `sanitize()` and the `validate()` function used within schema-inspector.