Operation Groundbait Hooks Victims in Ukraine

Written by

Security experts have discovered yet another cyber campaign in the Ukraine, but this time targeting both anti-government separatists in the East and Ukrainian politicians and government officials.

Operation Groundbait was given its name because some of the malware-laden emails sent out by the attackers contained a decoy document which inexplicably displayed a pricelist of fishing groundbait.

Other emails featured more standard attachments relating to the war in Donbass or the general geopolitical situation in Ukraine.

The malware in question, detected by Eset as Win32/Prikormka, has lain hidden from researchers since at least 2008.

It arrives in the form of a classic spearphishing email, complete with “appealing filename” and the aforementioned decoy documents to lure victims into opening them, the security firm claimed in a new blog post.

“From a technical perspective, the malware features a modular architecture, allowing the attackers to expand its functionality and steal various types of sensitive information and files from the cyber-surveillance targets,” wrote Eset researcher Robert Lipovsky.

But while Eset concluded that the campaign is most likely politically motivated, it was puzzled by the choice of targets.

“Any further attempt at attribution would at this point be speculative,” it concluded. “It is important to note that in addition to separatists [in Donetsk and Luhansk], the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too.”

The discovery marks the third major cyber-attack campaign in the region, following the infamous BlackEnergy attacks which crippled Ukrainian power stations just before Christmas, and the so-called Operation Potato Express.

The latter campaign featured a trojanized Russian version of encryption software TrueCrypt, which the attackers used on occasion to serve up information-stealing malware to their victims.

The Win32/Potao malware mainly targeted victims in Ukraine, Georgia, Russia and Belarus.

What’s hot on Infosecurity Magazine?