Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/17/2016
05:08 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Operation Ghoul Targets Industrial, Engineering Companies In 30 Countries

Attack campaign appears to be more about financial gain than industrial theft or sabotage, however.

A new wave of targeted attacks against mostly small- and midsized businesses in the engineering and industrial sectors worldwide has hit some 130 organizations thus far.

Operation Ghoul, the name researchers at Kaspersky Lab have given the attacks, uses a combination of off-the shelf malware tools and spear-phishing emails to infiltrate systems and steal data from them, the security firm said in an alert this week detailing its discovery.

Kaspersky Lab so far it has identified a total of 130 organizations across 30 countries that have fallen victim to the campaign, many of them in the Middle East where Operation Ghoul appears to be most active.

While the targeting of organizations in the industrial and engineering sectors typically would suggest that cyber espionage or sabotage is the primary motive, Operation Ghoul appears to be more focused on financial gain. 

“Since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties,” said Mohamad Amin Hasbini, a senior security researcher for Kaspersky Lab on the company’s blog.

The Operation Ghoul campaign appears to have started in March 2015, using spear-phishing emails with malicious attachments from HawkEye, an underground provider of a wide range of ready-to-use malware tools.

The compressed executables used by Operation Ghoul include keystroke loggers and tools for stealing passwords, FTP server credentials, clipboard data, and user account data from browsers and certain messaging and email clients.

Information gathered from compromised systems is sent to a remote command and control server from where it is harvested and sold in the black market. The IP address belongs to a system running multiple malware campaigns, Hasbini said.

In addition to engineering and industrial companies, Operation Ghoul has also targeted manufacturing, pharmaceutical, and education organizations in countries like the United Arab Emirates, Egypt, Saudi Arabia, Pakistan, Germany, and Spain.

The most recent attacks have been more focused in nature, and directed at organizations in specific countries. About 70% percent of the attacks that Kaspersky Lab researchers observed in June, for instance, targeted organizations in the United Arab Emirates. A majority of the email lures there include a malicious attachment purported to be from a major UAE bank.

Though the malware used in the attacks are fairly simple, Operation Ghoul has been successful for the most part in its attacks, Hasbini noted.

Attacks on industrial and engineering companies often are focused on gaining access to critical industrial control systems or for stealing intellectual property and trade secrets for competitive gain. In many cases, the threat actors behind such campaigns have been nation-state actors and organized cyberattack groups.

But Operation Ghoul has taken a different tack. Unlike highly targeted attacks by state-sponsored actors, the group behind Operation Ghoul might attack any company, Kaspersky Lab said. “Companies that are not prepared to spot the attacks will sadly suffer,” Hasbini said.

Hasbini, meanwhile, has posted indicators of compromise on the Kaspersky Lab blog that organizations can use to check their systems for possible infection.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14994
PUBLISHED: 2019-09-19
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version...
CVE-2019-15000
PUBLISHED: 2019-09-19
The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6....
CVE-2019-15001
PUBLISHED: 2019-09-19
The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.1.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain rem...
CVE-2019-16398
PUBLISHED: 2019-09-19
On Keeper K5 20.1.0.25 and 20.1.0.63 devices, remote code execution can occur by inserting an SD card containing a file named zskj_script_run.sh that executes a reverse shell.
CVE-2019-11779
PUBLISHED: 2019-09-19
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.