Operation Ghoul hunts engineering industries

RESEARCHERS have uncovered a new wave of targeted cyber attacks against small- and medium-sized industrial and engineering organisations in 30 countries, that hunt for valuable business information on victims’ networks.

A team from international software security group Kaspersky Lab says that during June they spotted cybercriminals using spear-phishing emails – messages that appear legitimate at first glance, or contain some personal details – with malware attachments. They reported that the messages were mostly sent to top- and middle-level managers of numerous companies.

The emails appeared to be coming from a bank in the United Arab Emirates (UAE) and looked like payment advice from the bank with an attached SWIFT electronic payment document, but in reality the attachment contained malware.

The malware is based on HawkEye – commercially available – spyware which is sold openly on the so-called Darkweb, where (often illegal) internet traffic is not indexed by search engines. The malware provides a variety of tools for the attackers. After installation it collects data from the victim's PC, including: file transfer protocol (FTP) server credentials; account data from browsers, instant messaging clients, outlook and other email clients; PC application information; and keystroke data from keyboard monitoring.

Dubbed “Operation Ghoul”, this is one of several criminal campaigns supposedly controlled by the same group. The group is currently active, and has attacked more than 130 organisations in countries including Spain, Pakistan, UAE, India, Egypt, UK, Germany and Saudi Arabia.

In January, the Nuclear Threat Initiative (NTI) highlighted that 20 countries with nuclear capability, including Spain, India and Egypt, lacked government regulation to protect against cyber attacks on nuclear facilities.

Kaspersky analysed the attacker group’s activities and found the majority of the victims were organisations in the industrial and engineering sectors. Other victims include organisations and businesses in the shipping, pharmaceutical, manufacturing, trading and education sectors.

Kaspersky says the attackers behind Operation Ghoul are motivated by financial profit, as the data stolen from these organisations can be subsequently sold on the black market.

Mohammad Amin Hasbini, security expert at Kaspersky said: “[The group’s] main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts. Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks will sadly suffer.”

In order for companies and organisations to protect themselves from Operation Ghoul and other threats, the team recommends: educating staff to be able to distinguish between a spear phishing email or a phishing link from real emails and links; using proven corporate-grade security solutions and analytical software to detect attacks through network anomalies; and providing security staff with access to the latest threat intelligence data and tools for targeted attack prevention and discovery.

A warning about cyber security in the 3D-printing industry has also been issued in July this year. US researchers said attackers can add defects into CAD design files in order to undermine product manufacturing.