A new wave of targeted attacks against corporations in multiple countries around the world has been launched. The so-called "Operation Ghoul" attacks use the tactics of cyberspies but are more likely to be the work of profit-motivated cybercrooks, according to Kaspersky Lab.
Using spear-phishing emails and malware based on commercial spyware kit, hackers are using the attacks to siphon off valuable business-related data stored from compromised corporate networks.
In total, over 130 organisations from 30 countries –including the UK, Spain, Pakistan, United Arab Emirates, India, Egypt, Germany, Saudi Arabia and other countries – have been successfully attacked since March 2015. Although industrial and engineering sector targets predominate other victims include shipping, pharmaceutical, manufacturing, trading companies and even educational organisations.
The nefarious activities of Operation Ghoul were uncovered by security researchers at Kaspersky Lab. Stolen data could be monetised through dark web forums, said the researchers.
“Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts,” said Mohammad Amin Hasbini, security expert at Kaspersky Lab.
“Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer,” he added.
Operation Ghoul is only one among several other campaigns being run by the same group, according to Kaspersky Lab.
Kaspersky’s team discovered the spying campaign after investigating a wave of spear-phishing emails with malicious attachments in June 2016. “The emails sent by the attackers appeared to be coming from a bank in the UAE and appeared to look like payment advice from the bank with an attached SWIFT document,” Kaspersky Lab reports. “However, the attached archive contained malware.”
The malware used in the campaign is based on the HawkEye commercial spyware.
More on Operation Ghoul can be found in a blog on Kaspersky Lab’s Securelist.com blog here. ®