Kaspersky Lab has identified a new spear phishing and malware campaign. Dubbed "Operation Ghoul" by researchers, the campaign has led to industrial and engineering organizations in 30 countries having their networks penetrated by hackers. The spear phishing has targeted "senior members and executives of the organizations, most likely because the attackers hope to get access to core intelligence, controlling accounts, and other interesting information."
The aim of Operation Ghoul is financial, as the information from the hacks has been traced to sales on the black market. The attacks themselves are very basic spear phishing attacks, but as I have noted in my social engineering articles, humans are quite gullible. The emails that are a part of these attacks have "appeared to be coming from a bank in the UAE: they looked like payment advice from the bank with an attached SWIFT document, but in reality the attached archive contained malware."
The malware in question is easily purchased on the Dark Web. Named HawkEye, this malware is able to log keystrokes, FTP server credentials, account data from various sources (email, messaging clients, and browsers), and programs or applications installed on the infected computer. After the data is collected, it is sent to the IP address 188.8.131.52, which Kaspersky Lab surmises is "a compromised device running multiple malware campaigns."
Operation Ghoul may be a part of a larger network of cyber crime campaigns, as Kaspersky Lab states that these attacks are linked to "a cybercriminal group which has been tracked by company researchers since March 2015." The reason why this group has been so successful is that many users with administrative privileges clearly cannot spot a malicious email. What these series of attacks teach is that most businesses are not equipping their staff, especially those with access to crucial data, to deal with social engineering attacks.
This is likely not the last time we will hear of Operation Ghoul or the threat actors behind it. Until businesses start taking security training seriously, equipping every employee with proper cyber security protocols, these types of attacks will continue to occur. You can have the best IDS in the world, but it means diddly squat if your CEO is opening emails that infect the entire network. Cyber criminals aren't necessarily smart, but their targets are often idiots.
Don't be an idiot.
Photo credits: Kaspersky Lab, ShutterStock