One of the reasons the threat landscape is so treacherous right now is because the barrier to entry to execute a cyberattack is getting lower. It used to take at least some expertise and a modicum of computer skill to hack into a major corporation or wage an attack against critical infrastructure. These days, there are commercial, off-the-shelf tools to help almost anyone create chaos on a massive scale. In 2016, waves of highly targeted cyberattacks struck industrial, engineering and manufacturing organizations in more than 30 countries — though primarily in the Middle East — thanks to a commercial spyware sold on the dark web. The team at Kaspersky Lab, who uncovered the attacks, dubbed them Operation Ghoul.
This “Ghoul” legitimately struck fear into the cybersecurity community because of its breadth and focus on industrial organizations. While it wasn’t a complex attack, that didn’t make it any less dangerous.
“Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company,” said Mohammad Amin Hasbini, a security expert at Kaspersky Lab, at the time. “Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer.”
Uncovering Operation Ghoul
Researchers at the Kaspersky Lab Global Research and Analysis Team first uncovered the Operation Ghoul attacks on June 8 and 27, 2016. They were most likely designed to steal sensitive corporate account data from industrial, engineering and manufacturing organizations in the Middle East, and they used a common tool to gain entry — spear-phishing.
“In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon, and today, the term is sometimes used to describe a greedy or materialistic individual,” Amin Hasbini said. “This is quite a precise description of the group behind Operation Ghoul. Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts.”
This wave of spear-phishing emails — sent mostly to top and middle-level managers of industrial companies — contained malicious attachments designed to pique their victims’ curiosity. The fraudulent missives appeared to come from a bank in the United Arab Emirates called Emirates NBD and looked like payment advice. They were accompanied by an attached Society for Worldwide Interbank Financial Telecommunication (SWIFT) document, which, in reality, contained malware that collected passwords, keystrokes and screenshots.
The entire attack, though wide-ranging, was mostly unsophisticated; sadly, that doesn’t mean it wasn’t effective. The malware was based on HawkEye, a commercial spying tool sold openly on the dark web and used a single command-and-control server.
“The malware … also grabs FTP server credentials, account data from browsers, messaging clients and email clients, along with clipboard data,” read an article in Threat Post. “From there the attackers use a combination of HTTP GET posts and email messages from already compromised organizations to exfiltrate the data.”
Using artifacts from the malware files and attack sites, Kaspersky traced the initial attacks back to March 2015. Operation Ghoul ultimately hit more than 130 organizations in 30 countries. While 70% of the organizations hit were in the United Arab Emirates, the attack cut a wide swath of countries, including the United States, the United Kingdom, India, Germany, France, Sweden and Taiwan. The most targeted countries were Spain, Pakistan, the UAE, India and Egypt.
While the majority of the victims worked in the industrial and engineering sectors, the attacks also hit shipping, pharmaceutical, trading companies, educational organizations and others.
“Since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult,” read Kaspersky’s report on Secure List.
Avoiding the Ghoul (and attacks like it)
Operation Ghoul is one of several campaigns supposedly launched by the same group, according to Kaspersky. It was also a lesson in who and what can get attacked by threat actors looking for profit or disruption. Many smaller companies assume they are off attackers’ radars because of their limited scope, but this attack targeted small- to medium-sized businesses. Many industrial companies assume their networks are safe because attackers generally go after information technology (IT); this attack saw industrial and manufacturing organizations squarely in the crosshairs.
Although there is no way to create a perfectly hack-proof business, there are steps companies can take to lessen the risk of attacks. In their report following Operation Ghoul, Kaspersky researchers recommended businesses implement the following measures to avoid similar threats:
- Educate staff so they can distinguish a spear-phishing email or a phishing link from real emails and links.
- Use a proven corporate-grade security solution, in combination with anti-targeted attack solutions, capable of catching attacks by analyzing network anomalies.
- Provide security staff access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as indicators of compromise and YARA rules.
Kaspersky summed up their recommendations succinctly: “Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments. In addition, privileged users need to be well trained and ready to deal with cyber threats; failure in this is, in most cases, the cause behind private or corporate data leakage, reputation and financial loss.”