The Channel logo


By | John Leyden 17th August 2016 15:29

Profit-hungry Ghouls raid corporate networks worldwide

And some folks flinging malware are prowling about too

A new wave of targeted attacks against corporations in multiple countries around the world has been launched. The so-called "Operation Ghoul" attacks use the tactics of cyberspies but are more likely to be the work of profit-motivated cybercrooks, according to Kaspersky Lab.

Using spear-phishing emails and malware based on commercial spyware kit, hackers are using the attacks to siphon off valuable business-related data stored from compromised corporate networks.

In total, over 130 organisations from 30 countries –including the UK, Spain, Pakistan, United Arab Emirates, India, Egypt, Germany, Saudi Arabia and other countries – have been successfully attacked since March 2015. Although industrial and engineering sector targets predominate other victims include shipping, pharmaceutical, manufacturing, trading companies and even educational organisations.

The nefarious activities of Operation Ghoul were uncovered by security researchers at Kaspersky Lab. Stolen data could be monetised through dark web forums, said the researchers.

“Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts,” said Mohammad Amin Hasbini, security expert at Kaspersky Lab.

“Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer,” he added.

Operation Ghoul is only one among several other campaigns being run by the same group, according to Kaspersky Lab.

Kaspersky’s team discovered the spying campaign after investigating a wave of spear-phishing emails with malicious attachments in June 2016. “The emails sent by the attackers appeared to be coming from a bank in the UAE and appeared to look like payment advice from the bank with an attached SWIFT document,” Kaspersky Lab reports. “However, the attached archive contained malware.”

The malware used in the campaign is based on the HawkEye commercial spyware.

More on Operation Ghoul can be found in a blog on Kaspersky Lab’s blog here. ®

comment icon Read 3 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe