The Channel logo


By | John Leyden 17th August 2016 15:29

Profit-hungry Ghouls raid corporate networks worldwide

And some folks flinging malware are prowling about too

A new wave of targeted attacks against corporations in multiple countries around the world has been launched. The so-called "Operation Ghoul" attacks use the tactics of cyberspies but are more likely to be the work of profit-motivated cybercrooks, according to Kaspersky Lab.

Using spear-phishing emails and malware based on commercial spyware kit, hackers are using the attacks to siphon off valuable business-related data stored from compromised corporate networks.

In total, over 130 organisations from 30 countries –including the UK, Spain, Pakistan, United Arab Emirates, India, Egypt, Germany, Saudi Arabia and other countries – have been successfully attacked since March 2015. Although industrial and engineering sector targets predominate other victims include shipping, pharmaceutical, manufacturing, trading companies and even educational organisations.

The nefarious activities of Operation Ghoul were uncovered by security researchers at Kaspersky Lab. Stolen data could be monetised through dark web forums, said the researchers.

“Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts,” said Mohammad Amin Hasbini, security expert at Kaspersky Lab.

“Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer,” he added.

Operation Ghoul is only one among several other campaigns being run by the same group, according to Kaspersky Lab.

Kaspersky’s team discovered the spying campaign after investigating a wave of spear-phishing emails with malicious attachments in June 2016. “The emails sent by the attackers appeared to be coming from a bank in the UAE and appeared to look like payment advice from the bank with an attached SWIFT document,” Kaspersky Lab reports. “However, the attached archive contained malware.”

The malware used in the campaign is based on the HawkEye commercial spyware.

More on Operation Ghoul can be found in a blog on Kaspersky Lab’s blog here. ®

comment icon Read 3 comments on this article or post a comment alert Send corrections


Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral


STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'