Security experts are warning of a financially motivated targeted attack campaign spanning over a year and more than 130 organizations worldwide focused on the industrial, engineering and manufacturing sectors.
Operation Ghoul was first spotted in March last year and has so far covered more than 30 countries, targeting Spain, Pakistan, the UAE, India and Egypt the most.
Attackers use classic spear phishing emails with a malicious attachment to infect their victims.
These emails are sent to top and middle managers in order to procure “core intelligence” and “controlling accounts,” and are spoofed to look like they came from a UAE bank, according to Kaspersky Lab senior security researcher, Mohamad Amin Hasbini.
Some contain payment advice in a malicious ‘SWIFT doc’ attached and others contain malicious links.
“Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (30 to 300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult,” he explained.
That malware is based on the popular Hawkeye family, and will collect and send out to a C&C server information including keystrokes, clipboard data, FTP server credentials and account data from browsers, and email and messaging clients.
The most recent wave of attacks began in June, with 70% of users in the UAE.
Hasbini warned employees to be cautious when opening unsolicited emails and urged firms to train privileged users in how to deal with such cyber threats.
Kaspersky Lab principal security researcher, David Emm, claimed the discovery highlights the fact that all companies, regardless of size, must now presume that a determined attacker will gain access to corporate systems.
“Therefore, companies should ensure that confidential data is encrypted and the network segmented appropriately as this restricts lateral movement once an attacker has gained entry. The starting-point for such attacks is often social engineering, so it’s vital that a strong emphasis is placed on staff education,” he told Infosecurity.
“Small businesses need to know that they’re not immune to attacks. It’s easy for SMBs to read the headlines and assume that targeted attack campaigns are directed solely at ‘big names’. However, aside from the fact that all companies have intellectual property, they can be used as stepping-stones to get to another target. Companies in the supply-chain of a large organization can be the means for penetrating the former.”