Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/17/2016
05:08 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

‘Operation Ghoul’ Targets Industrial, Engineering Companies In 30 Countries

Attack campaign appears to be more about financial gain than industrial theft or sabotage, however.

A new wave of targeted attacks against mostly small- and midsized businesses in the engineering and industrial sectors worldwide has hit some 130 organizations thus far.

Operation Ghoul, the name researchers at Kaspersky Lab have given the attacks, uses a combination of off-the shelf malware tools and spear-phishing emails to infiltrate systems and steal data from them, the security firm said in an alert this week detailing its discovery.

Kaspersky Lab so far it has identified a total of 130 organizations across 30 countries that have fallen victim to the campaign, many of them in the Middle East where Operation Ghoul appears to be most active.

While the targeting of organizations in the industrial and engineering sectors typically would suggest that cyber espionage or sabotage is the primary motive, Operation Ghoul appears to be more focused on financial gain. 

“Since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties,” said Mohamad Amin Hasbini, a senior security researcher for Kaspersky Lab on the company’s blog.

The Operation Ghoul campaign appears to have started in March 2015, using spear-phishing emails with malicious attachments from HawkEye, an underground provider of a wide range of ready-to-use malware tools.

The compressed executables used by Operation Ghoul include keystroke loggers and tools for stealing passwords, FTP server credentials, clipboard data, and user account data from browsers and certain messaging and email clients.

Information gathered from compromised systems is sent to a remote command and control server from where it is harvested and sold in the black market. The IP address belongs to a system running multiple malware campaigns, Hasbini said.

In addition to engineering and industrial companies, Operation Ghoul has also targeted manufacturing, pharmaceutical, and education organizations in countries like the United Arab Emirates, Egypt, Saudi Arabia, Pakistan, Germany, and Spain.

The most recent attacks have been more focused in nature, and directed at organizations in specific countries. About 70% percent of the attacks that Kaspersky Lab researchers observed in June, for instance, targeted organizations in the United Arab Emirates. A majority of the email lures there include a malicious attachment purported to be from a major UAE bank.

Though the malware used in the attacks are fairly simple, Operation Ghoul has been successful for the most part in its attacks, Hasbini noted.

Attacks on industrial and engineering companies often are focused on gaining access to critical industrial control systems or for stealing intellectual property and trade secrets for competitive gain. In many cases, the threat actors behind such campaigns have been nation-state actors and organized cyberattack groups.

But Operation Ghoul has taken a different tack. Unlike highly targeted attacks by state-sponsored actors, the group behind Operation Ghoul might attack any company, Kaspersky Lab said. “Companies that are not prepared to spot the attacks will sadly suffer,” Hasbini said.

Hasbini, meanwhile, has posted indicators of compromise on the Kaspersky Lab blog that organizations can use to check their systems for possible infection.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...